CMMC PE.1.134 – Control Physical Access

CMMC PE.1.134 – Control Physical Access

Requirement text:

PE.1.134: Control and manage physical access devices.


DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Physical access devices include keys, locks, combinations, and card readers.

CMMC CLARIFICATION
Controlling physical access devices like locks, badging, key cards, etc. is just as important as monitoring and limiting who is able to physically access certain equipment. Locks, badges, and key cards are only strong protection if you know who has them and what access they allow.

Example
A team member retired last week and forgot to turn in company items, including an identification badge and office keys. The project requires special equipment that should be used only by project team members. Before you begin looking for a replacement employee, you make sure to change the locks on the doors to the project area. You also disable the retired team member’s badge.

Get Audit Ready


How to pass? Restrict the number of people who can unlock the doors or disable the security system at your business. Lock your doors and windows to protect your computers and documents. If an employee leaves, change the locks. If you can afford it, use electronic locks that can easily be re-programmed.

How to fail? Never change the door locks even though you’ve had employees leave in the past. Leave windows unlocked.



References
• FAR Clause 52.204-21 Partial b.1.ix 
• NIST SP 800-171 Rev 1 3.10.5
• CERT RMM v1.2 KIM:SG4.SP2
• NIST SP 800-53 Rev 4 PE-3


    • Related Articles

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...

    • Physical Protection: SP 800-171 Security Family 3.10

      The term physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. Physical and environmental requirements cover three ...

    • CMMC Level 1 Overview - Basic Cyber Hygiene

      CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...

    • CMMC PE.1.131 – Limit Physical Access

      Requirement text: PE.1.131:  Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.  DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement applies to ...

    • CMMC PE.1.133 – Maintain Physical Access Log

      Requirement text:  PE.1.133: Maintain audit logs of physical access. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals ...