Level 5 CMMC - CMMC Practices

PE.1.133  

Reference: CMMC 1.02

Family: PE

Level Introduced: 1

Practice:
Maintain audit logs of physical access.

CMMC Clarification:
Make sure you have a record of who is accessing both your facility (e.g., office, plant, factory) and your equipment. You can do this in writing by having employees and visitors sign in and sign out as they enter and leave your physical space, and by keeping a record of who is coming and going from the facility.

Example
You and your coworkers like to have friends and family join you for lunch at the office on Fridays. Your small company is growing, and sometimes it’s hard to know who is coming and going from the lunch area. You work with your boss, the company founder, and ask all non-employees to sign in at the reception area, then sign out when they leave. Employees can have badges or key cards that enable tracking and logging access to the company facilities.

3.10.4

Maintain audit logs of physical access.

Discussion:
Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.

Source: NIST Special Publication 800-171 Rev. 2

PE-3

PHYSICAL ACCESS CONTROL

Description:
The organization:
    a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
        1. Verifying individual access authorizations before granting access to the facility; and
        2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
    b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
    c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
    d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
    e. Secures keys, combinations, and other physical access devices;
    f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
    g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

Supplemental Guidance:
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02