masthead-background-img

CMMC Section 3.10: Meeting Physical Security Requirements

01 Cmmc Section 3 10 Meeting Physical Security Requirements

Compliance with Cybersecurity Maturity Model Certification (CMMC) Level 2 requires more than robust cybersecurity — it also demands physical security controls to safeguard Controlled Unclassified Information (CUI). In other words, Defense Industrial Base (DIB) organizations must physically protect the systems, equipment, and environments containing CUI from unauthorized access or tampering.

Any unauthorized access to sensitive information, whether intentional or accidental, can threaten national security. A physical security breach can also impact a DIB company’s reputation and ability to win Department of Defense (DoD) contract awards.

Overview of CMMC 3.10 Requirements

The DoD’s CMMC Assessment Guide for Level 2 certification provides Physical Protection requirements under section 3.10. DIBs must demonstrate compliance with section 3.10 during an assessment to achieve Level 2 certification. The section contains the following six requirements, incorporating the Physical Protection controls in National Institute of Standards and Technology Special Publication 800-171 Revision 2 and Federal Acquisition Regulation clause 52.204-21:

3.10.1 — Control Physical Access

Requirement 3.10.1 focuses on identifying authorized individuals and ensuring physical access to computers, equipment, or sensitive environments is limited to authorized personnel. It aims to protect CUI from being seen, heard, or handled by unauthorized persons, like facility visitors or the general public. Keeping computers and printers that store CUI behind locked doors is an example of limiting physical access.

3.10.2 — Monitor Facility

Control 3.10.2 requires that organizations monitor who enters and exits their facilities, especially access to systems containing CUI. The control also requires physically protecting support infrastructure, like electric wiring, from tampering. For example, DIB companies might install security cameras at entry points to keep an eye on visitor activity. They may also lock their wiring closets to protect their network cables.

3.10.3 — Escort Visitors

To comply with CMMC, DIBs cannot allow visitors to walk around the facility as they wish — there must be a process to monitor visitor activity. Control 3.10.3 requires visitors to be guided by an employee at all times while on the property or to wear a visitor’s badge. Visitor activity must also be monitored through cameras, guards, or audit logs. 

3.10.4 — Physical Access Logs

DIB organizations must record who enters their facility and any interior spaces containing CUI-related systems or equipment. These records must include employees, authorized personnel, and visitors. You can meet this requirement through any means, such as having employees and visitors sign in on a paper log, as long as you can securely maintain the records.

3.10.5 — Manage Physical Access

According to requirement 3.10.5, DIBs must have a process for identifying, controlling, and managing physical access devices like keys and electronic badges so they always know who has access to their facility. An organization might monitor access devices through a software program, for example, or manually keep track of them in a written document. If an employee quits, retires, or is let go, you must have a system for documenting whether they returned their access device. 

3.10.6 — Alternative Worksites

With many of today’s employees working remotely, organizations need methods to ensure CUI is still protected. Requirement 3.10.6 aims to safeguard CUI while off-site by first mandating that organizations define their unique security requirements for alternative worksites and then ensure they are met. To illustrate, DIB companies might make sure employee laptops have anti-virus software or only use VPNs that require multi-factor authentication.

6 Ways to Meet CMMC Physical Security Requirements 

CMMC physical security requirements are influenced by contractual clauses, the sensitivity of information your organization handles, and the unique risks associated with your operational environment. Therefore, it’s necessary to tailor your approach to your organization’s distinct security needs. The following strategies can give you a head start:

1. Identify In-Scope Assets and Risks

The first step to meeting CMMC 3.10 is determining which assets need protection and evaluating related risks. With this knowledge, you can set impactful security goals and devise an effective plan for reaching them.

Start by reviewing the DoD’s CMMC Scoping Guide and identifying the assets in scope for a CMMC assessment, such as computers that process, store, or transmit CUI and the rooms they’re kept in. Your in-scope assets are those that must be protected physically from unauthorized access.

Additionally, it’s important to evaluate the existing physical security measures. Are they effective and updated? Do they adequately guard against potential threats? If you pinpoint vulnerabilities, determine how you’ll address them.

2. Establish Robust Physical Access Control

Physical access control encompasses the security measures used to limit who can enter a secure area. A robust access control system creates multiple security levels by utilizing controls like a secure fence, credential reader, key fobs or access cards, and security cameras. All of those measures combine to deter and prevent unauthorized access.

02 First Identify And Document The Individuals

To meet physical access control requirements, you must first identify and document the individuals authorized to enter a secure area and designate which areas are sensitive. A risk assessment is also essential to choose access control measures based on risk levels.

For example, locking a storage room that contains CUI files might be adequate if the risk level isn’t too high. However, if a risk assessment reveals a higher risk level, you may also need to add an alarm system to detect unauthorized access and facilitate an immediate response.

3. Install Surveillance Cameras

Surveillance cameras enable employees or security guards to watch who enters and exits your facility, helping your organization meet CMMC monitoring requirements. Position security cameras at your facility’s entry and exit points and secure areas. You might also place cameras strategically throughout your facility to monitor visitor activity.

You’ll want to consider all physical security risks and whether security cameras can help mitigate them. For instance, you might install cameras near power lines to monitor your building’s support infrastructure and deter or detect physical tampering.

4. Develop a Visitor Logging System

It’s crucial to have a system for tracking visitors to meet the “Escort Visitors” and “Physical Access Logs” requirements. These logs may be written documents or automated digital records that capture data through electronic access devices. Combining manual and automated processes may be most effective.

Regardless, your organization must track everyone who accesses the facility as well as secure interior areas, like server or conference rooms. That way, if an incident or attempted breach occurs, you have evidence to streamline an investigation — especially if you have security cameras or other measures to complement your tracking system.

5. Train Employees on Security Procedures

For security controls to be effective, employees must be trained on physical security risks and their roles in reducing these risks. Meeting CMMC’s “Awareness and Training” requirements can help your organization achieve its physical security requirements by ensuring employees know how to prevent and respond to relevant security threats.

As part of security training, employees should learn what procedures to follow and how to respond to an incident according to their responsibilities. For example, office building employees should know when to escort visitors and what to do if they identify a visitor wandering around the facility unescorted. They should also learn how to protect CUI when working remotely. The “Access Control” requirements of CMMC can help you develop training materials and best practices for physically protecting CUI remotely, such as requiring employees not to use personal devices when working with CUI.

6. Update Your SSP

An important part of CMMC compliance is having proof that you’ve implemented the necessary measures. Every detail regarding physical security should be kept in your System Security Plan (SSP), from describing your facility’s locks to its visitation rules. Overall, your SSP is the formal document that describes the controls you’ve implemented to meet all CMMC requirements. DIB organizations must have an up-to-date SSP before undergoing a CMMC assessment.

Why Trust Us

At Business Transformation Institute, Inc. (BTI), we understand the complexities of CMMC regulations, including its physical security requirements. Our team members have extensive experience in implementing CMMC and advanced cybersecurity controls. We have Certified CMMC Assessors, Approved Training Providers, and Provisional Instructors authorized by The Cyber AB who can provide CMMC support. They know CMMC inside and out and are dedicated to sharing their knowledge and expertise with organizations to help them reach compliance goals strategically.

03 Contact Bti For Expert Cmmc Guidance

Contact BTI for Expert CMMC Guidance

Meeting CMMC security requirements takes more than installing a lock on the door. Compliance requires multiple steps, including identifying in-scope assets, documenting controls in your SSP, and running a gap assessment to determine vulnerabilities.

At BTI, we’ll meet you where you’re at, helping you determine and implement cost-effective, compliant security measures that support your existing infrastructure. With our CMMC consulting services, we can guide your organization through all the steps needed to prepare for a streamlined CMMC assessment. Additionally, we are authorized to conduct business at the highest levels of government sensitivity, so you can have peace of mind with our partnership.

Ready to prepare for your CMMC assessment with expert guidance? Contact us today.

Previous ArticleHow CMMC Will Affect Remote Workers