DoD Contractor Considerations for CMMC Practice Guide PE.L1-3.10.3

Editor’s note: This article is one of a series of articles about the CMMC Level 1 Practices. In these articles we dive into the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC Level 1 resource.

Overview of PE.L1-3.10.3

The main focus of this practice is the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) through escorting and monitoring visitors.

A common cybersecurity adage states that each device that connects to your network is a possible attack surface. Organizations therefore implement security controls to ensure only authorized devices and users can access their systems. This concept also applies to physical access. Each guest that enters your building could be a threat actor seeking to gain access to sensitive spaces or data, so the CMMC has implemented standards that companies must follow to ensure all guests are known and their actions are monitored throughout their visit.

What Qualifies as a Visitor?

One significant distinction that is addressed by this practice is the difference between authorized, perpetual access and visitor access. For example, if your organization employs contractors that require persistent, regular access to your building, their access requirements would likely be reviewed, approved, and established during your organization’s onboarding procedures.

Practice PE.L1-3.10.3 is only concerned with the physical security controls that organizations implement for visitors such as clients, vendors, employee personal contacts, and other guests to the building – all encounters which do not occur on a regular basis.

Identifying Visitors

To best put practice PE.L1-3.10.3 in action, visitors should be easily identified by your staff [a, b].

Many vendors require their employees to wear company-branded clothes such as polos or t-shirts, but organizations should not rely on this marker alone. Terminated vendor employees, for example, could wear old company clothing and claim to be making a visit at their former employer’s behest. One way to mitigate this risk and show your staff that visitors have been vetted is to require that they check in, usually at a front desk, and receive a visitor badge to wear throughout their visit. Organizations could also consider requiring visitors to show photo IDs, such as professional badges or driver’s licenses, prior to signing a visitor log and receiving a badge. This is a more common step for organizations with elevated security concerns, such as schools or government facilities.

Escorting Visitors

Once visitors have been identified by your organization, they should be escorted by an employee throughout their visit [a].

To pass PE.L1-3.10.3, your organization should have a formal policy in place that establishes this requirement. Any evidence that demonstrates this occurs will be reviewed as part of the assessment of practice (PE.L1-3.10.4 -Physical Access Logs).

Monitoring Visitors

“If we escort visitors at all times [a], are we not also monitoring them[b]?”

– Everyone who reads this practice

Yes, I am reminded of my high school logic lectures on syllogisms. The classic example: All cows have spots. Betsie is a cow. Therefore, Betsie has spots. The CMMC equivalent seems to pop up here. Escorted people are monitored. Visitors are escorted. Therefore, visitors are monitored.

As easy as it is to quibble with this one, we recommend organizations consider their physical environments and try to identify measures, in addition to escorting, that support monitoring. These can include, but are not limited to:

• Visitor badges or stickers that clearly identify visitors
• Visitor logs, both in common areas and high-risk areas (such as server rooms)
• Security cameras installed at building entrances and exits

Visitor logs are required for PE.L1-3.10.4 – Physical Access Logs regardless, and a gross of brightly colored visitor stickers can be yours for less than a price of a movie ticket.

Conclusion

PE.L1-3.10.3 is among the easier practices to implement and pass. Thankfully, it appears to have fewer complicating edge cases than other Level 1 Physical Protection practices. We recommend verifying your policies and procedures contain requirements to:

• Have visitors sign-in,
• Escort visitors, and
• Any of the relatively easy ways to add additional “monitoring” to that which is naturally occurring during the “escorting.”

Last, we recommend communicating these requirements to those responsible for visitor intake and escort.

Many DoD contractors will not have the expertise or resources needed to perform a CMMC readiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.

Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.

Understanding the DoD’s Cybersecurity Maturity Model Certification (CMMC)