CMMC PE.1.131 – Limit Physical Access
Requirement text: PE.1.131:
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors. Authorized individuals have credentials that include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, directives, policies, regulations, standards, procedures, and guidelines. This requirement applies only to areas within facilities that have not been designated as publicly accessible.
Limiting physical access to equipment may include placing equipment in locked rooms or other secured areas and allowing access to authorized individuals only; and placing equipment in locations that can be monitored by organizational personnel. Computing devices, external disk drives, networking devices, monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of equipment.
CMMC CLARIFICATION
Think about what parts of your physical space (e.g., office, plant, factory), what equipment, including the network, need to be protected from physical contact. For those parts of your company to which you want only specific employees to have physical access, monitor or limit who is able to enter those spaces with badges, key cards, etc.
Example
You work for a small company as the project manager for a Department of Defense (DoD) project. The project requires special equipment that should be used only by project team members. You work with your boss to put locks on the doors to your area. This restricts access to the room to only those employees who work on the DoD project.
Get Audit Ready
How to pass? Identify the areas of your company work spaces that are public and private. (It is OK for everything to be private). Keep your computers, devices, network gear, and sensitive information in the private area. If you don’t have any employees actively supervising the private area, lock the door when you leave.
How to fail? Running cables for your
internal network to wall jacks in the guest waiting area. Leaving the
front office unlocked and unsupervised while you are in the shop
working. Leaving your laptop on the table, logged on, at Starbucks,
while you go to the bathroom.
References
• FAR Clause 52.204-21 b.1.viii
• NIST SP 800-171 Rev 1 3.10.1
• NIST CSF v1.1 PR.AC-2
• CERT RMM v1.2 KIM:SG4.SP2
• NIST SP 800-53 Rev 4 PE-2
Related Articles
Physical Protection: SP 800-171 Security Family 3.10
The term physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. Physical and environmental requirements cover three ...Access Control: SP 800-171 Security Family 3.1
Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to: • use information, • use information processing services, and • enter company facilities. System-based ...CMMC PE.1.134 – Control Physical Access
Requirement text: PE.1.134: Control and manage physical access devices. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Physical access devices include keys, locks, combinations, and card readers. CMMC CLARIFICATION Controlling physical access ...CMMC PE.1.133 – Maintain Physical Access Log
Requirement text: PE.1.133: Maintain audit logs of physical access. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals ...CMMC Level 1 Overview - Basic Cyber Hygiene
CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...