The first C in CMMC stands for cybersecurity, so it makes sense that the vast majority of content and information about it (both here and elsewhere online) is focused on the cyber aspect. Digital security makes up the bulk of the certification, and it’s by far the biggest threat vector in a modern business space.
There is, however, still that detail that has to matter sooner or later: the fact that everything digital has to have somewhere it lives in physical space. As the old aphorism reminds us, the “cloud” is just somebody else’s computer.
So, whether your business app is stored on servers in a dedicated room in your business headquarters, or it’s all running in a bucket on an Amazon datacenter somewhere in an office park in Ohio, physical security matters.
How do you satisfy the physical security control elements of CMMC? We’ve put together six best practices and a handful of tips to help you through it.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontFocus on implementing physical security for CMMC through six key practices: understand physical security controls, limit physical access to protect CUI data, monitor facilities closely for unauthorized access, escort visitors consistently, maintain and review access logs, and manage secure areas. Consider limited remote work or increase security measures, and prioritize detailed employee training. Establish ongoing audits and monitoring systems to ensure compliance and security, minimizing risks and maintaining secure environments effectively.
1: Understand the Physical Security Controls
The first thing you need to do is understand the physical security controls, why they exist, and what they are meant to do. It’s easy to think of something like CMMC as a big checklist of independent items you need to tick off, but the truth is, everything is interconnected and established in the framework for a reason. Knowing that reasoning can help you view your security holistically and grasp what you need to do to secure it, even in non-standard situations.
CMMC breaks up the security model into a bunch of different control domains, including things like configuration management, incident response, and media protection. One of those domains is Physical Protection, which is where the ” meatspace” security lives.
As it stands, there are six security controls in the Physical Protection segment. CMMC Level 1 requires four of them, Level 2 adds two more, and Level 3 does not yet add any additional requirements.
3.10.1: Limit Physical Access to CUI Data
For this control, organizations must limit access to areas where CUI is stored physically. That includes digital storage, such as company servers, and physical storage, such as filing cabinets.
Remember that any area where CUI can be accessed needs to be controlled. If your employees who handle CUI can access it from the general floor, it means your entire facility will need to be secured.
For this control, organizations are required to monitor physical facilities and detect (and prevent) unauthorized entry. This can’t just be passive monitoring, because part of the control is the requirement that action be taken in real time if a breach is identified.
There are many possible technological solutions to this, from cameras and alarms to badging systems to motion sensors. Any you use needs to be validated and checked routinely to ensure they’re effective.
3.10.3: Escort Visitors Who Access CUI Data
From time to time, a business might need to bring in an outsider. If and when this happens, the visitor must be escorted at all times, with their visit authorized, logged, and tracked, to prevent unauthorized viewing, copying, theft, or tampering with CUI.
It doesn’t matter whether or not the visitor is themselves authorized to access CUI in their own environment. Only those who are explicitly there with authorization to access your CUI can be allowed, with supervision, to access it.
3.10.4: Maintain Physical Access Logs for CUI Data
This is a fairly simple requirement: everything has to be logged. If you use an electronic badging system, log when the badges are used and where. If you run security cameras, log when they’re activated. If you use alarm systems, log when they’re activated and deactivated.
Logs must be maintained for a minimum length of time, which depends on specific compliance rules for your industry and contracts.
3.10.5: Manage Physical Access to Secure Areas
First of the two Level 2+ controls, this is the requirement that any locations marked as secure locations where CUI is held must have access to them managed directly.
Only those with business-justified needs should be allowed access, which should be restricted as much as possible. Access should be logged and reviewed periodically.
3.10.6: Alternative Work Sites: Maintaining Security Outside Main Facilities
If your organization allows remote work for employees who need to access CUI to do their job, their alternative work sites must likewise be secured appropriately. If they use physical documents, they need secure storage for them. If they use digital devices with CUI on them, those must be protected appropriately. VPNs are required for accessing company intranets and CUI systems. Approved devices only, and no public networks. There’s a lot here.
You can see how all six of these requirements are orbiting the concept of physical security, while outlining specific aspects of that physical security that need to be implemented properly. It’s all in the service of the same security you’re implementing elsewhere: protecting CUI from unauthorized access or tampering.
2: Do Your Best to Limit Scope
We’ve talked a lot before about scoping for CMMC, because it’s incredibly important.
Scoping is all about identifying the minimum necessary systems for the parts of your business handling CUI, and drawing firm boundaries around them.
To use a simple example, if your business handles CUI in physical printout form, which is easier: securing a “document room” where all of the CUI is kept, or securing your entire building to allow employees to carry it around as needed?
The less you need to secure, both digitally and physically, the less work, money, and risk it involves.
The best thing you can do to smooth out your implementation of physical security requirements is to take the time to thoroughly analyze your business environment. Conduct a physical security risk assessment, identify the scope of your systems, and figure out where you can tighten them down and draw boundaries to reduce the threat surface.
It’s also possible you already have some physical security systems in place for other reasons. If that’s the case, you can likely incorporate these into your CMMC compliance, though you will need to make sure they do everything they need to in order to be considered viable for CMMC. One of the largest hurdles is logging and review, in many cases.
3: Be Rigorous with Access Control
One of the most important elements of the physical security part of CMMC is physical access control.
CUI needs to be, effectively, behind locked doors, whether it’s physical or digital. Those doors need to be closed to all but the people who have a vested need to get at it, and that list needs to be kept as short as possible and reviewed regularly to remove anyone who no longer needs access.
Anyone who does need access needs to be logged and tracked. The most common access control system is physical badging, though security guards, biometric authorization, and other systems can be used as well.
All of these systems need to be maintained and reviewed periodically to make sure they’re still working and effective.
Likewise, everything needs to be logged. Every time a badge is used, it should be logged. Every time people enter and leave secure areas or access secure systems, it should be logged. If possible, tying logs of badge use to video records can be another way to validate who is using access and when.
Surveillance is a necessary part of all of this as well. Whether it’s external cameras passively monitoring the area, or more active cameras near secure areas that operate on a motion sensor or trigger when a badge is used, having video records helps a lot.
4: Limit Remote Work or Be Prepared for a Huge Workload
The sixth of the physical protection controls in CMMC centers around remote work. This is a very complicated situation.
On one hand, some businesses work entirely in the office, so it’s easy to disallow remote work for employees, roles, or tasks that involve CUI.
On the other hand, some businesses are all but entirely remote, so remote work is the majority of all work, including the work that involves CUI.
There’s a push-and-pull here; do you limit remote work or prohibit it entirely to limit scoping and reduce the technological, training, and financial burden of security? Or do you allow remote work to provide it as a benefit to your employees, which can benefit morale and productivity, but cost more and be vastly more complex to manage?
Effectively, you have three options.
- You can invest in security and training for remote work involving CUI and allow remote work for everyone.
- You can allow remote work for people who don’t touch CUI, but require in-office work for tasks or individuals engaging with controlled systems.
- You can disallow remote work entirely to simplify everything.
There’s no singular right answer here; different businesses will find different perspectives. Some will value the option to work remotely much more, while others want to stick with lean teams and won’t have the luxury of segmenting a workforce.
If you’re going to allow remote work for individuals whose jobs involve CUI and controlled systems, be prepared for a lot of extra burden surrounding securing their environments as well. We have a whole guide on just this topic over here for more information.
5: Don’t Neglect Employee Training
With technological and digital security, a lot of what needs to be done can be handled with technological solutions, and employee training isn’t necessarily at the forefront. It’s still important, obviously, but you aren’t using employee training to mandate changing passwords when you can enforce password expiration, to use a basic example.
With physical security, employee training is much more important. This is because physical intrusion is much more often a matter of social engineering and confidence scams, and people are inherently conditioned to be polite and accommodating.
One very common example is called tailgating. If two employees are entering the building at the same time and one badges in to unlock the door, the natural inclination is to hold the door for the other. That can be fine in normal circumstances, but in cases where CUI is at stake, the second person’s unbadged entry becomes an unlogged liability. It’s even more of a problem in organizations where not everyone necessarily knows everyone else; holding the door for a stranger may be polite, but it’s also a huge security risk.
Employee training should encompass at least:
- How to identify CUI, where CUI is stored and handled, and how to make sure it’s protected.
- How to recognize potential security threats, suspicious activity, or outsiders, and how to report them.
- How to properly use access control systems, whether it’s badges and cards, biometrics, or codes.
- How to handle visitors and make sure they’re escorted at all times.
- Rules and procedures for working remotely, if you’re allowing it.
All of this also needs to ride on the back of stated and published physical security policies.
6: Establish Continual Auditing and Monitoring
No security is secure if it’s not validated.
When it comes to physical security, access logs and usage logs are a must. Videos taken with security cameras also must be part of these logs. Yes, it can take up a lot of storage space. If those cameras have the potential to view CUI, they, too, are considered CUI and need to be secured as well. All of this requires maintenance, monitoring, evaluating, and auditing.
Establish processes for going through all of your physical security systems at appropriate intervals and validating their security. Conduct unannounced tests to make sure people are following the rules. Consider red teaming and pen testing. Consider it all part of continuous monitoring, and you’re on the right track.
Here at Ignyte, we’re deeply familiar with CMMC, and that includes the physical security rules. While the Ignyte Assurance Platform isn’t designed as a management hub for physical security, it can be used to store things like audit logs and reporting, and the evidence that your physical security is being followed. We can also help you out in other ways, so if you’re interested in seeing what we can do for you, contact us.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.