CMMC PE.1.132 – Escort and Monitor Visitors

CMMC PE.1.132 – Escort and Monitor Visitors

Requirement text: PE.1.132:

Escort visitors and monitor visitor activity.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity.

CMMC CLARIFICATION
Do not allow visitors, even those people you know well, to walk around your facility without an escort. Make sure that all non-employees wear special visitor badges and/or are escorted by an employee at all times while on your property.

Example
Coming back from a meeting, you see the friend of a coworker walking down the hallway near your office. You know this person well and trust them, but are not sure why they are in the building. You stop to talk, and the person explains that they are supposed to meet the coworker for lunch, but cannot remember where the lunchroom is. You offer to walk the person back to the reception area to get a visitor badge and wait until someone can escort them to the lunch room. You report this incident, and the company decides to install a badge reader at the main door so visitors cannot enter without an escort.


Get Audit Ready
How to pass? You need to be able to positively identify anyone who is in your facility and challenge those who don’t have permission to be there. A very small company with 4 employees should know each person on sight. If you see anyone else in your space, you need to stop them, and potentially call the police. Larger companies (where employees don’t know everyone) use employee and visitor badges to show who is allowed to be there.

How to fail: Not escorting a utility worker when they come inside to “do repairs”. They could be a bad person trying to steal sensitive information or hack your network. Not calling the police if an unknown person was found wandering around inside your offices.

References
• FAR Clause 52.204-21 Partial b.1.ix 
• NIST SP 800-171 Rev 1 3.10.3
• CERT RMM v1.2 AM:SG1.SP1
• NIST SP 800-53 Rev 4 PE-3

    • Related Articles

    • CMMC PE.2.135 - Protect and Monitor Facilities

      Requirement text: PE.2.135: Protect and monitor the physical facility and support infrastructure for organizational systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Monitoring of physical access includes publicly accessible areas within ...

    • CMMC PE.1.131 – Limit Physical Access

      Requirement text: PE.1.131:  Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.  DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement applies to ...

    • CMMC PE.1.133 – Maintain Physical Access Log

      Requirement text:  PE.1.133: Maintain audit logs of physical access. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals ...

    • CMMC PE.1.134 – Control Physical Access

      Requirement text: PE.1.134: Control and manage physical access devices. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Physical access devices include keys, locks, combinations, and card readers. CMMC CLARIFICATION Controlling physical access ...

    • CMMC PE.3.136 - Protect CUI at Alternate Work Sites

      Requirement text: PE.3.136: Enforce safeguarding measures for CUI at alternate work sites. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Alternate work sites may include government facilities or the private residences of employees. Organizations ...