DoD Contractor Considerations for CMMC Practice Guide PE.L1-3.10.1

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

DoD Contractor Considerations for CMMC Practice Guide PE.L1-3.10.1

Note: Important Change as of November 2021
The Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Read our summary of the changes, Goodbye CMMC 1.0, Hello CMMC 2.0. For more detailed information, visit the CMMC website.

Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.

Editor’s note: This article is one of a series of articles about the CMMC Maturity Level (ML) 1 Practices. In these articles we dive in to the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC ML-1 resource.

Practice Number: AC.L1-3.1.1
Practice: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Assessment Objectives
Determine if:
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).

Overview of PE.L1-3.10.1

Practice PE.L1-3.10.1 is primarily concerned with ensuring that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data are protected through physical means [b, c, d], and that physical access to data is restricted to authorized individuals to include employees, vendors, and visitors who should have access to it [a].

Practice Scoping: Identification of Physical Spaces and Devices

To ensure your organization complies with this practice, your organization must identify the physical assets which are in scope. Only once the physical assets are identified will an organization be able to document how those assets are protected. The practice identifies three types of assets that require physical protections.

  • Organizational systems are data repositories and programs which process data [b].
    • Examples include applications, databases, cloud platforms, and SaaS (software as a service).
  • Equipment includes physical devices that process or store data [c].
    • Examples include servers, laptops, fax machines, and other IT devices.
  • Operating environments are spaces where data are processed or stored [d].
    • Examples include server rooms, laboratories, networking closets, and production floors.

Although the CMMC standard identifies the three classes of physical assets, we do not recommend organizations ruminate too extensively trying to force an asset into a category. The categories are identified to show the types of assets that are in scope for the practice, rather than to create an administrative burden trying to classify every physical device into one of three categories.

Identifying Access Granted to Authorized Individuals

Having determined where FCI/CUI is physically stored, your organization will then need to identify the employees, vendors, and visitors with access to the organizational systems, equipment, and environments that hold the data [a].

There are multiple types of reports which can be useful during this part of the process. If your organization has an office building, a building manager or other appropriate staff should consider keeping an inventory of physical access to different parts of the building. This can include reports from badging or PIN systems or key inventories.

For example, a badging system configured to limit access to a server room (operating environment) should be able to generate a list of all badges issued that would permit physical entry to the server room and to whom they were issued.

Common Pitfall
Organizations going through compliance efforts for the first time frequently have multiple departments with individuals responsible for granting access to different systems.

We often see organizations where IT departments are responsible for granting access to infrastructure systems like networks and email, and service delivery teams are responsible for granting access to the specialized software used to service clients. In our experience, organizations that can consolidate the compliance responsibilities for access controls to as few departments as possible have the most success.

Methods to Limit Physical Access

Management should also understand and document the ways in which access to organization systems, equipment, and operational environments is restricted. There are many examples that can satisfy the requirement, including:

  • Storing FCI/CUI documents in a separate wing of the building that is restricted by a badging system.
  • Requiring employees to enter a PIN to gain access to the building.
  • Using security guards or video cameras to monitor individuals that access the facility.
  • Training employees to not allow tailgaters to follow authorized individuals into the building.

Subservice Providers

All CMMC practices, including PE.L1-3.10.1, are applicable wherever the FCI/CUI lives, whether it is in a system or facility that is controlled by the contractor/subcontractor or a subservice provider.

Accordingly, CMMC assessors will need to see how the practices your organization have inherited from your External Service Providers (ESP) have been implemented.  To avoid needing to separately assess their ESPs, most organizations will opt to use ESPs that already have certifications, such as CMMC and FedRamp, that grant reciprocity over the related practice.


This practice is fairly straight-forward. Organizations should consider the types of data being stored and verify that the people who access or store the data should have access to it. If your organization retains appropriate records which demonstrate that FCI and CUI are being stored and processed using physical security methods, and that only authorized individuals can physically access the data, your organization shouldn’t have trouble passing this practice.

Interested in learning more about CMMC services for your defense contracts? Contact us. We are here to help.

Understanding the DoD’s Cybersecurity Maturity Model Certification (CMMC)

Share this Insight:

About the Author

Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us