By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
Note: Important Change as of November 2021
The Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Read our summary of the changes, Goodbye CMMC 1.0, Hello CMMC 2.0. For more detailed information, visit the CMMC website.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
Editor’s note: This article is one of a series of articles about the CMMC Maturity Level (ML) 1 Practices. In these articles we dive in to the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC ML-1 resource.
|Key to Success|
|IT auditors prefer to have system generated populations whenever they are available. Related to access control, organizations should be able to generate system generated lists that show new users, disabled users, and modified users. These populations should provide the timestamp that the change took place.
|Practice Number: AC.L1-3.1.2|
|Practice: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.|
Overview of PE.L1-3.10.3
The main focus of this practice is the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) through escorting and monitoring visitors.
A common cybersecurity adage states that each device that connects to your network is a possible attack surface. Organizations therefore implement security controls to ensure only authorized devices and users can access their systems. This concept also applies to physical access. Each guest that enters your building could be a threat actor seeking to gain access to sensitive spaces or data, so the CMMC has implemented standards that companies must follow to ensure all guests are known and their actions are monitored throughout their visit.
Who Qualifies as a Visitor?
One significant distinction that is addressed by this practice is the difference between authorized, perpetual access and visitor access. For example, if your organization employs contractors that require persistent, regular access to your building, their access requirements would likely be reviewed, approved, and established during your organization’s onboarding procedures.
Practice PE.L1-3.10.3 is only concerned with the physical security controls that organizations implement for visitors such as clients, vendors, employee personal contacts, and other guests to the building – all encounters which do not occur on a regular basis.
To best put practice PE.L1-3.10.3 in action, visitors should be easily identified by your staff [a, b].
Many vendors require their employees to wear company-branded clothes such as polos or t-shirts, but organizations should not rely on this marker alone. Terminated vendor employees, for example, could wear old company clothing and claim to be making a visit at their former employer’s behest. One way to mitigate this risk and show your staff that visitors have been vetted is to require that they check in, usually at a front desk, and receive a visitor badge to wear throughout their visit. Organizations could also consider requiring visitors to show photo IDs, such as professional badges or driver’s licenses, prior to signing a visitor log and receiving a badge. This is a more common step for organizations with elevated security concerns, such as schools or government facilities.
Once visitors have been identified by your organization, they should be escorted by an employee throughout their visit [a].
To pass PE.L1-3.10.3, your organization should have a formal policy in place that establishes this requirement. Any evidence that demonstrates this occurs will be reviewed as part of the assessment of practice PE.1.133.
|[a] the types of transactions and functions that authorized users are permitted to execute are defined; and|
|[b] system access is limited to the defined types of transactions and functions for authorized users.|
As part of escorting visitors, your employees should also monitor the activities being performed by visitors to ensure they are only interacting with spaces and data they are authorized to see [b]. For example, sometimes vendors such as technical support staff are required to sign in once they enter their customer’s buildings, but once they arrive, they are able to roam freely throughout the building. Without proper physical safeguards in place, these individuals could gain access to computers, networking closets, or other spaces with FCI/CUI. To mitigate this risk, it is imperative that visitors to your building are always escorted and monitored.
Organizations can implement several monitoring techniques to track where visitors are going and where they have been. These can include, but are not limited to:
- Security cameras installed at building entrances and exits
- Visitor logs, both in common areas and high-risk areas (such as server rooms)
- Badging systems
- PIN pads
- Biometric devices
As is the case with escorting visitors, CMMC assessors will want to see documentation from these systems as part of the assessment of PE.1.133 to demonstrate that your organization monitors visitors as they move through your facilities.
So long as your organization ensures visitors are escorted and their activities monitored, this practice should not be a challenging one to pass. The most successful implementations typically rely on management creating policies that clearly address physical security procedures and regularly educating and reminding staff about why they are important.
Many DoD contractors will not have the expertise or resources needed to perform a CMMC readiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.
Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
DoD Contractor Considerations for CMMC Practice Guide PE.L1-3.10.1
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.