Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: PE

Level Introduced: 2

Protect and monitor the physical facility and support infrastructure for organizational systems.

CMMC Clarification:
Make sure that the infrastructure inside of your facility, such as power and network cables, is protected so that visitors and employees cannot access it. The protection also has to be monitored. This can be done with security guards, video cameras, sensors and alarms.

You are responsible for protecting your organization’s IT facilities. You install video monitoring at each entrance and exit. You also make sure there are secure locks on all entrances and exits to the facilities.


Protect and monitor the physical facility and support infrastructure for organizational systems.

Monitoring of physical access includes publicly accessible areas within organizational facilities. This can be accomplished, for example, by the employment of guards; the use of sensor devices; or the use of video surveillance equipment such as cameras. Examples of support infrastructure include system distribution, transmission, and power lines. Security controls applied to the support infrastructure prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Physical access controls to support infrastructure include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors.

Source: NIST Special Publication 800-171 Rev. 2



The organization:
    a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
    b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
    c. Coordinates results of reviews and investigations with the organizational incident response capability.

Supplemental Guidance:
Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02