DoD Contractor Considerations for CMMC Practice Guide PE.L1-3.10.1

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

DoD Contractor Considerations for CMMC Practice Guide PE.L1-3.10.1

Editor’s note: This article is one of a series of articles about the CMMC Level 1 Practices. In these articles we dive into the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC Level 1 resource.

 

Practice
PE.L1-3.10.1 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Assessment Objectives
Determine if:
[a] authorized individuals allowed physical access are identified;
[b] physical access to organizational systems is limited to authorized individuals;
[c] physical access to equipment is limited to authorized individuals; and
[d] physical access to operating environments is limited to authorized individuals.
(source: CMMC ML-1 Assessment Guide)

 

Overview of PE.L1-3.10.1

Practice PE.L1-3.10.1 is primarily concerned with ensuring that Organizations Seeking Certification (OSCs) protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) through physical means [b, c, d], and that physical access to data is restricted to authorized individuals to include employees, vendors, and visitors who should have access to it [a].

Practice Scoping: Identification of Physical Spaces and Devices

To ensure your organization complies with this practice, your organization must identify the physical assets which are in scope. Only once the physical assets are identified will an organization be able to document how those assets are protected. The practice identifies three types of assets that require physical protections.

  • Organizational systems are data repositories and programs which process data [b].
    • Examples include applications, databases, cloud platforms, and SaaS (software as a service).
  • Equipment includes physical devices that process or store data [c].
    • Examples include servers, laptops, fax machines, and other IT devices.
  • Operating environments are spaces where data are processed or stored [d].
    • Examples include server rooms, laboratories, networking closets, and production floors.

Although the CMMC standard identifies the three classes of physical assets, we do not recommend organizations ruminate too extensively trying to force an asset into a category. The categories are identified to show the types of assets that are in scope for the practice, rather than to create an administrative burden trying to classify every physical device into one of three categories.

Identify Authorized Individuals

Having determined where FCI/CUI is physically stored, your organization then needs to identify the employees, vendors, and visitors who are authorized to access in-scope organizational systems, equipment, and environments [a].

As with access to systems, the company should have policies and procedures for:

  1. Requesting, approving, and granting access to authorized individuals requiring access.
  2. Removing access to individuals that no longer require physical access, usually initiated by the end of employment or a contract.
  3. Changing individuals access, usually associated with a promotion or transfer.

Not to be confused with… The CMMC contains many practices and assessment objectives that are easily conflated, and this is no exception. Assessment Objective [a] in practice PE.L1-3.10.5 deals with identification of physical access devices, issued and unissued (like electronic badges), that would enable a user to have physical access. However, Assessment Objective [a] of this practice, PE.L1-3.10.1, requires the identification of the individuals who should have access to organizational systems, equipment, and operating environments. The key distinction: what physical access they should have (PE.L1-3.10.5) versus what they do have.

In addition to these preventative processes, OSC’s should supplement them with detective review processes.

Accordingly, a critically important internal control process that just so happens to generate the exact documentation required for assessment objective [a] of this practice is a periodic physical access review.

Physical access reviews are a periodic (usually quarterly) review process wherein every individual’s physical access is internally reviewed by knowledgeable staff.

Data Sources for Physical Access Reviews If the OSC uses a badging system, that system is the ideal source of who has what access. That list, however, may be supplemented by manually maintained list of more analog control measures, such as a traditional key. For example, if an organization has their own server room, the server racks may have additional locks that restrict who can access specific servers.

These processes can take different shapes and may depend on the integration of badging data into identity and access management systems, the number of physical locations, extent of the use of physical keys, and more.

However, the process typically starts with the generation of a consolidated list or lists of physical access that people have.

That list is stratified based on the person’s supervisor, and supervisors receive lists of individuals and their access to review. If the access is inappropriate, then a change process should be kicked off to modify the access, as appropriate.

When the process is complete, OSC’s should have generated a consolidated list of individuals who are authorized to access different physical areas that contain organizational systems, equipment, and operating environments.

Methods to Limit Physical Access

The second part of the practice is to actually limit access to organizational systems, equipment, and operating environments to the authorized individuals. Management should also understand and document the ways in which access to organization systems, equipment, and operational environments is restricted. There are many examples that can satisfy the requirement, including:

  • Storing FCI/CUI documents in a separate wing of the building that is restricted by a badging system.
  • Requiring employees to enter a PIN to gain access to the building.
  • Using security guards or video cameras to monitor individuals that access the facility.
  • Training employees to not allow tailgaters to follow authorized individuals into the building.

Subservice Providers

All CMMC practices, including PE.L1-3.10.1, are applicable wherever the FCI/CUI lives, whether it is in a system or facility that is controlled by the contractor/subcontractor or a subservice provider.

Accordingly, CMMC assessors will need to see how the practices your organization have inherited from your External Service Providers (ESP) have been implemented. To avoid needing to separately assess their ESPs, most organizations will opt to use ESPs that already have certifications, such as CMMC and FedRAMP, that grant reciprocity over the related practice.

Property Management Companies

Many businesses lease a portion of a building. In many of those situations, the lessor provides a property management function to maintain the physical space. In many cases, property management staff have access, either through physical keys or electronic key cards that grant them access to any location within the building. This creates a host of risks:

  1. Risk the property management company did not deactivate the employee’s badge access prior to separation
  2. Risk the property management company employee created a fictitious employee badge before separating
  3. Risk the property management company employee made copies of physical keys
  4. Risk that the property management company employee copied down OSC employee physical access pin codes before separating

All this adds up to the conclusion that the solution with the fewest risks is to work with the property management company to disable their ability to grant themselves access to in-scope physical spaces and treat them as visitors (see PE.L1-3-10.3 – Escort Visitors). If it is not possible to limit their access to the badging system, then organizations need to get creative. Once option is simply adding a secondary lock only the OSC’s team can open.

Conclusion

This practice is straight-forward conceptionally: Know who is authorized to physically access different assets and areas and prevent unauthorized physical access.

For some organizations, it will be straight forward practically as well. However, many OSCs will have to carefully navigate a cacophony of confounding conditions that will complicate their compliance.

 

Many DoD contractors will not have the expertise or resources needed to perform a CMMC CMMC RPOreadiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.

Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.

Understanding the DoD’s Cybersecurity Maturity Model Certification (CMMC)

 

Share this Insight:

About the Author


Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Categories

Contact Us