CMMC PE.1.133 – Maintain Physical Access Log
Requirement text:
PE.1.133: Maintain audit logs of physical access.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.
CMMC CLARIFICATION
Make sure you have a record of who is accessing both your facility (e.g., office, plant, factory) and your equipment. You can do this in writing by having employees and visitors sign in and sign out as they enter and leave your physical space, and by keeping a record of who is coming and going from the facility.
Example
You and your coworkers like to have friends and family join you for lunch at the office on Fridays. Your small company is growing, and sometimes it’s hard to know who is coming and going from the lunch area. You work with your boss, the company founder, and ask all non-employees to sign in at the reception area, then sign out when they leave. Employees can have badges or key cards that enable tracking and logging access to the company facilities.
Get Audit Ready
How to pass? Use a sign-in and sign-out sheet for employees or visitors (complimentary template here).
If you can afford it, use cameras around your facility to identify
everyone who enters and exits, including your employees. Install
electronic locks with individually-assigned keys that keep a record of
who went through them.
How to fail? Finding computers stolen and not having any idea who was in the building during the last 24 hours.
Reference
• FAR Clause 52.204-21 Partial b.1.ix
• NIST SP 800-171 Rev 1 3.10.4
• NIST SP 800-53 Rev 4 PE-3
Related Articles
Physical Protection: SP 800-171 Security Family 3.10
The term physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. Physical and environmental requirements cover three ...CMMC PE.1.134 – Control Physical Access
Requirement text: PE.1.134: Control and manage physical access devices. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Physical access devices include keys, locks, combinations, and card readers. CMMC CLARIFICATION Controlling physical access ...CMMC PE.1.131 – Limit Physical Access
Requirement text: PE.1.131: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement applies to ...Access Control: SP 800-171 Security Family 3.1
Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to: • use information, • use information processing services, and • enter company facilities. System-based ...CMMC Level 1 Overview - Basic Cyber Hygiene
CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...