By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
Editor’s note: This article is one of a series of articles about the CMMC Level 1 Practices. In these articles we dive into the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC Level 1 resource.
Practice |
---|
PE.L1-3.10.4 – Maintain audit logs of physical access. |
Assessment Objectives |
Determine if: |
[a] audit logs of physical access are maintained. |
(source: CMMC ML-1 Assessment Guide) |
Overview of PE.L1-3.10.4
The CMMC requirement to maintain logs of physical access is a perfect example of how a requirement that appears simple on its face (it has only one straightforward assessment objective) can be complex and expensive to implement.
In addition to the requirements to limit physical access, escort visitors, and to manage physical access devices (like physical keys and badges), CMMC Level 1 also requires that organizations keep a log of everyone who accesses physical areas where there is FCI/CUI.
Logs should be maintained for visitors and regular personnel. Additionally, they can be put in place for an entire facility or limited to areas within a facility that contain FCI/CUI.
Logs can be manual, part of an electronic badge system, or a combination of the two. For example, many organizations have a badging system for employees, but not visitors. In such cases, a badging system may create logs of employee access, but a manual log is retained to sign-in and sign-out visitors.
Badging System Logs
If your organization uses a badging system to control physical access, then you have a head start. Many badging systems automatically retain logs of who badges in and out of different areas. However, there are a few considerations:
- Employees should be trained to not allow tailgating. In polite society, we often hold the door open for each other. In organizations that are required to follow the CMMC, staff should be trained to tap their badge to the badge reader, even if someone holds the door open. Likewise, if someone tries to tailgate without badging in, staff should also be encouraged to ask the person to badge in.
- Logs should be retained for a sufficient period. Logs are only good if they are there when you need them. Organizations should examine their badging system and determine if logs are retained and how long they are retained. Physical access records tend not to require a lot of storage space, so we recommend organizations play it safe retain these records for at least a year.
Manual Logs
For some organizations, a manual log whereby employees and visitors sign in and out may be the easy and cheap way to get started. This could be a good solution depending on a few factors:
- Smaller organizations or large organizations for whom the DoD work is confined to smaller work areas.
- If you’re under a time crunch and do not have time to implement an electronic system before you need to be CMMC compliant.
The downside of manual logs is that they’re, well, manual. Whereas badge readers hardly require staff to tap the brakes, a manual log requires a full stop, perhaps a wait in a line, a physical sign-in, and related annoyances among team members.
Challenges
Electronic systems break. Even if you have an electronic system in place, they do occasionally fail. Consider a paper backup plan in the event it breaks to limit the effect of gaps in your electronic logs.
Property management staff control the badging system and can access everything. Many organizations have a full-time building property management company. When an organization is one of many tenants in a building, the property management company often has full access to the badging system, can access any part of the building at any time, can change audit log retention periods, and have direct access to audit log data. In such cases, OSCs should identify compensating measures to secure physical access and protect audit logs, such as creating separate backups of physical access log data and having a written agreement that property management staff are not to access protected areas without approval and escort from the organization.
Scoping. Logs must be kept for each area where there is FCI/CUI. For organizations that primarily service the DoD, it is likely the entire physical space would require logs. In those instances, badging in or signing into a physical building or office space may be enough. However, for organizations where FCI/CUI is isolated to specific areas within a larger office, an organization may be able limit the logging to those specific areas.
Depending on the distribution of FCI/CUI within a physical space, an organization may save costs by consolidating the location of FCI/CUI and staff who interact with it to specific locations within a building.
Server rooms and network closets. The rule applies not only to where people physically sit and do work; it also applies to areas where data is processed. Don’t forget to log access to these areas as well.
Cost of adding badge readers. Adding a new badging system, or even adding a new badge reader to an existing system can be time consuming and expensive. Ultimately, it is a business decision as to whether it is worth the expense to have an automated system that retains logs.
Changing badging systems and log retention. If you switch badging systems, don’t dispose of your old logs. If the logs are stored in a service provider’s cloud, be sure to get a copy of the logs in a readable format and retain them in accordance with your policy.
Janitorial staff. It’s common for organizations to have contracted janitorial staff. These individuals require access to all areas of a facility, including where FCI and CUI are processed. Their access is also subject to audit logs, whether they are escorted visitors or approved (and presumably subject to other related staff requirements, like background checks).
Conclusion
“Maintain audit logs of physical access.” It sounds simple on its face. In actuality, it is loaded with confounding variables from whether FCI/CUI is physically diffuse or consolidated, related staff training requirements, costs of an electronic system vs a paper system, property management company access, the impact of the other three CMMC Level 1 physical access requirements, and more.
With careful analysis and planning, however, organizations can minimize the cost and complexity of implementing physical access controls including physical access logging.
Interested in learning more about CMMC services for your defense contracts? Contact us. We are here to help.
Many DoD contractors will not have the expertise or resources needed to perform a CMMC readiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.
Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.