By Keiter CPAs
Note: Important Change as of November 2021
The Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Read our summary of the changes, Goodbye CMMC 1.0, Hello CMMC 2.0. For more detailed information, visit the CMMC website.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
Editor’s note: This article is one of a series of articles about the CMMC Maturity Level (ML) 1 Practices. In these articles we dive in to the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC ML-1 resource.
| Practice |
|---|
| Practice: PE.L1-3.10.3 – Escort visitors and monitor visitor activity. |
| Assessment Objectives |
|---|
| Determine if: |
| [a] visitors are escorted; and |
| [b] visitor activity is monitored. |
Overview of PE.L1-3.10.3
The main focus of this practice is the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) through escorting and monitoring visitors.
A common cybersecurity adage states that each device that connects to your network is a possible attack surface. Organizations therefore implement security controls to ensure only authorized devices and users can access their systems. This concept also applies to physical access. Each guest that enters your building could be a threat actor seeking to gain access to sensitive spaces or data, so the CMMC has implemented standards that companies must follow to ensure all guests are known and their actions are monitored throughout their visit.
Who Qualifies as a Visitor?
One significant distinction that is addressed by this practice is the difference between authorized, perpetual access and visitor access. For example, if your organization employs contractors that require persistent, regular access to your building, their access requirements would likely be reviewed, approved, and established during your organization’s onboarding procedures.
Practice PE.L1-3.10.3 is only concerned with the physical security controls that organizations implement for visitors such as clients, vendors, employee personal contacts, and other guests to the building – all encounters which do not occur on a regular basis.
Identifying Visitors
To best put practice PE.L1-3.10.3 in action, visitors should be easily identified by your staff [a, b].
Many vendors require their employees to wear company-branded clothes such as polos or t-shirts, but organizations should not rely on this marker alone. Terminated vendor employees, for example, could wear old company clothing and claim to be making a visit at their former employer’s behest. One way to mitigate this risk and show your staff that visitors have been vetted is to require that they check in, usually at a front desk, and receive a visitor badge to wear throughout their visit. Organizations could also consider requiring visitors to show photo IDs, such as professional badges or driver’s licenses, prior to signing a visitor log and receiving a badge. This is a more common step for organizations with elevated security concerns, such as schools or government facilities.
Escorting Visitors
Once visitors have been identified by your organization, they should be escorted by an employee throughout their visit [a].
To pass PE.L1-3.10.3, your organization should have a formal policy in place that establishes this requirement. Any evidence that demonstrates this occurs will be reviewed as part of the assessment of practice PE.1.133.
| Piggybacking or Tailgating |
|---|
| While these terms sound like fun, their repercussions are not. Piggybacking (also known as tailgating) occurs when an employee or other trusted individual enters a space, such as a lobby or secure building wing, and either holds the door open for the person behind them or the piggybacker follows closely enough behind that they can enter the space before the door closes (either with or without the employee’s consent). The visitor can then gain access to spaces, and consequently data or devices stored therein, that they are not authorized to observe. Piggybacking is effective because it takes advantage of employees’ goodwill and desire to not appear rude. Therefore, it is imperative that organizations stress the importance of verifying the identity of any guests to the building and only allow individuals with prior authorization to enter spaces where FCI or CUI might be present. |
Monitoring Visitors
As part of escorting visitors, your employees should also monitor the activities being performed by visitors to ensure they are only interacting with spaces and data they are authorized to see [b]. For example, sometimes vendors such as technical support staff are required to sign in once they enter their customer’s buildings, but once they arrive, they are able to roam freely throughout the building. Without proper physical safeguards in place, these individuals could gain access to computers, networking closets, or other spaces with FCI/CUI. To mitigate this risk, it is imperative that visitors to your building are always escorted and monitored.
Organizations can implement several monitoring techniques to track where visitors are going and where they have been. These can include, but are not limited to:
- Security cameras installed at building entrances and exits
- Visitor logs, both in common areas and high-risk areas (such as server rooms)
- Badging systems
- PIN pads
- Biometric devices
As is the case with escorting visitors, CMMC assessors will want to see documentation from these systems as part of the assessment of PE.1.133 to demonstrate that your organization monitors visitors as they move through your facilities.
Conclusion
So long as your organization ensures visitors are escorted and their activities monitored, this practice should not be a challenging one to pass. The most successful implementations typically rely on management creating policies that clearly address physical security procedures and regularly educating and reminding staff about why they are important.
Many DoD contractors will not have the expertise or resources needed to perform a CMMC 
readiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.
Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
About the Author
Keiter CPAs
Keiter CPAs is a certified public accounting firm serving the audit, tax, accounting and consulting needs of businesses and their owners located in Richmond and across Virginia. We focus on serving emerging growth businesses and companies in the financial services, construction, real estate, manufacturing, retail & distribution industries and nonprofits. We also provide business valuations and forensic accounting services, family office services, and inbound international services.
More Insights from Keiter CPAsThe information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.
