CMMC Practice PE.L1-3.10.1 – Limit Physical Access: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Links to Publicly Available Resources
This document provides assessment guidance for Level 1 of the Cybersecurity Maturity Model Certification (CMMC). This SANS whitepaper provides a broad overview of the importance of physical security as it intersects with cybersecurity. This example policy from the State of Michigan provides guidance for personnel for the protection of Criminal Justice Information (CJI). This video give a brief introduction to various physical security control methods that can be deployed in your environment.
Discussion [NIST SP 800-171 R2]
This requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors. Authorized individuals have credentials that include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, directives, policies, regulations, standards, procedures, and guidelines. This requirement applies only to areas within facilities that have not been designated as publicly accessible.
Limiting physical access to equipment may include placing equipment in locked rooms or other secured areas and allowing access to authorized individuals only, and placing equipment in locations that can be monitored by organizational personnel. Computing devices, external disk drives, networking devices, monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of equipment.
Further Discussion
This addresses the company’s physical space (e.g., office, testing environments, equipment rooms), technical assets, and non-technical assets that need to be protected from unauthorized physical access. Specific environments are limited to authorized employees, and access is controlled with badges, electronic locks, physical key locks, etc.
Output devices, such as printers, are placed in areas where their use does not expose data to unauthorized individuals. Lists of personnel with authorized access are developed and maintained, and personnel are issued appropriate authorization credentials.