DoD Contractor Considerations for CMMC Practice Guide PE.L1-3.10.5

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

DoD Contractor Considerations for CMMC Practice Guide PE.L1-3.10.5

Editor’s note: This article is one of a series of articles about the CMMC Level 1 Practices. In these articles we dive into the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC Level 1 resource.

Practice
PE.L1-3.10.5 – Control and manage physical access devices.
Assessment Objectives
Determine if:
[a] physical access devices are identified;
[b] physical access devices are controlled; and
[c] physical access devices are managed.
(source: CMMC ML-1 Assessment Guide)

Overview of PE.L1-3.10.5

Unlike, PE.L1-3.10.1 – Limit Physical Access, which focuses on people, PE.L1-3.10.5 focuses on the devices used by people to access physical areas.

Organizations implement some type of physical device that, when presented, either allows or prevents access to an entire building, a suite, a room, etc. The devices can be key fobs, badges, key codes, cypher locks, spin dial locks, etc. Access to these physical access devices (or their codes) must be controlled.

The CMMC enumerates three elements of control: identifying devices, controlling devices, and managing devices.

[a] Physical Devices are Identified

The application of this control depends largely on the type of device.

Physical Keys

Physical keys are present in just about every organization. Even if advanced badge readers are used in most circumstances, there are often physical keys that can unlock the door in the event the power is out or the badging system breaks.

To the extent that physical keys are present in your environment they should be uniquely identified, such as with a punched number, and their current disposition noted. For example, if there are three keys to the front door and three keys to the “Engineering Room,” where FCI/CUI is present, an organization might keep a record like this:

DoorIdentifierIssued ToIssued Date
FrontFD-1Jane CEO12/1/2019
FrontFD-2John CFO5/13/2022
FrontFD-3Unissued-
Engineering RoomEGN-1Davie Derivative3/3/2013
Engineering RoomEGN-2Susie Asymptote8/5/2021
Engineering RoomEGN-3Peter Parabola7/6/2017

Fobs or other Digital Devices

Electronic access systems commonly have a list of devices including those that have been issued and unissued. However, they may lack the functionality to associate the devices with people. If they do lack such functions, the organization should maintain its own list, similar to the example for physical keys.

Organizations that have systems that associate the devices with people often have unassigned guest badges. These should still be tracked.

Cypher Locks or Spin Locks

These devices are more common on interior doors rather than exterior doors. They are used to control access to a specific area by giving specific people knowledge of the code to open the door. In these instances, organizations should maintain a list of who has been provided the codes and when the codes were last changed.

[b] Physical Devices are Controlled

We interpret “controlling physical devices” to refer to two broad areas:

Giving/activating physical devices to authorized people

Physical access devices are often maintained by staff who are not responsible for authorizing new access. For example, the Facilities team is responsible for issuing badges to new employees. However, they are only allowed to issue badges when a completed request from Human Resources appears in the badging system.

Regardless of the mechanism used, organizations should indicate a record of the badge being issued, the date, the request, and the approval.

Protecting unissued devices

Certain devices, especially physical keys, can be used by the bearer without a secondary activation. Accordingly, organizations should implement security measures to protect unused devices and document those mechanisms in appropriate policies and procedures.

 

[c] Physical Devices are Managed

It is helpful to think of “management” as relating to two types of devices: those issued to people (like keys, fobs, badges), and those attached to structures (key locks, cypher locks, combination locks).

Devices Issued to People

Organizations should have documented processes in place to recover/deactivate keys, badges, fobs, and other physical access devices from employees when they separate from the company. These processes are most consistently executed if they start with Human Resources and notify the appropriate staff of the employee’s departure.

The foregoing also applies to vendors. Organizations frequently provide vendors facility access to perform various tasks. Janitorial services, building maintenance, consultants, and auditors are just some examples of visitors that might be issued badges. However, Human Resources is likely not the starting point for deactivating badges issued to vendors. To manage vendor badges, one strategy is to consider them in two groups: Daily Visitor Badges and Permanent Vendor Badges.

  • Daily Visitor Badges are appropriate for visitors, including vendors, who do not have a long-lived presence. These badges should be deactivated automatically or manually at the end of the day.
  • Permanent Vendor Badges are for vendors who do have a long-lived presence. Contracts with vendors should require the vendor to notify you if their employees separate from the vendor so that you can deactivate their badge. Additionally, if the badging system is capable, it is a best practice to automatically expire the badge at the contract’s end or on a set, periodic basis, e.g., quarterly, unless reapproved by the line-of-business manager overseeing the vendor’s work.

Additionally, an organization should have a procedure to address the inevitable lost device. Employees and vendors should be educated to notify designated individuals if they lose a key, badge, or fob. Likewise, the organization should have documented procedures to respond to such events, such as deactivating the badge or fob and, depending on the scenario, changing the lock.

Regardless if caused by a separation, internal transfer, lost device, or other business reason, the organization should retain records to show that devices were recovered or disabled timely to the related event.

Devices Attached to Structures

Cypher locks and combination locks must be changed every time a person with access no longer requires access. This could be from separation or an internal transfer. If a company uses these types of locks, the separation/transfer process should contain a step to evaluate if the person had access to door codes, and if so, the combinations should be changed and the date of the change documented and maintained.

Physical keys are more difficult and expensive to change. So, an organization may elect to apply criteria to see if an event requires a key change. For example, if someone was terminated for cause and the organization was unable to recover the key at the time of the termination, the organization may elect to change the locks on the door and issue new keys to current employees. If there was a break-in, and you are unsure if the lock was picked or if a key was used, the lock should be changed.

If no event driven lock and code changes occur, organizations should change locks and codes on a minimum periodic basis. Changing physical locks is likely to be very infrequent. Changing cypher and combination codes should be more frequent. Importantly, organizations should document the established frequencies in policies and procedures and document the events as they are performed.

Conclusion

How organizations control and manage physical access devices is highly variable to the type of physical devices used. Regardless of the mechanism, organizations should have policies and procedures to maintain a record of the current disposition of physical access devices and to control how they are issued and recovered. Additionally, when physical access devices are issued and recovered, organizations should maintain a record of the event including who authorized the event and when it was performed.

Many DoD contractors will not have the expertise or resources needed to perform a CMMC CMMC RPOreadiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.

Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.

Share this Insight:

About the Author


Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.

Categories

Contact Us