How to Meet NIST SP 800-171 & CMMC Physical Protection Requirements

There are six security controls from NIST SP 800-171 and CMMC level three related to physical protection.

Requirement: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

You need to document which personnel are authorized to have physical access to your facility. If you have multiple facilities you should document which personnel have access to which facility. By access, we mean being given a key or other physical access device to access a facility not visitor access. Provide personnel with a badge to indicate if they are authorized to access the facility.

You need to use physical security controls such as locked doors to limit access to your facilities to authorized personnel. Only provide physical access devices such as keys to authorized personnel. Limit physical access to your equipment such as servers, wiring closets, and other important infrastructure to authorized personnel. Designate areas of your facility as “sensitive” and only allow authorized persons into those areas. You can put up signs that read “Authorized Personnel Only”. Place printers, fax machines, and scanners in secured areas.

Requirement: Escort visitors and monitor visitor activity.

You need to require employees to sign in using a sign-in sheet/system when they first enter your facility. The sign-in sheet should collect their name, organization, date and time of entry and exit, and who their escort is. You need to provide all visitors with a badge indicating that they are a visitor. While the visitor is at your facility, they should be accompanied by an escort. We previously mentioned that you should designate areas of your facility as sensitive and put up signs reading “Authorized Personnel Only”. Your visitor may need to use the bathroom at your facility or eat lunch in the cafeteria, or sit in the lobby, because these areas are not designated as “sensitive” the visitor can use them without an escort while wearing their visitor badge.

Requirement: Maintain audit logs of physical access.

There are multiple ways of meeting this requirement. The cheap low tech way is to simply have a sign-in sheet at the entrance(s) to your facility. You can keep your visitor and employee sign-in sheets separate. Whenever an employee enters or exits the facility they will have to use the sign-in sheet. This can be annoying to employees and employees may not always use the sheet because of the inconvenience. Instead you can use a keycard access system. The system will log all entries and exits from the facility along with which card was used to enter or exit. Make sure that whatever keycard access system you select has the capability to collect access logs. You should retain these physical access logs whether it is a sign-in sheet or electronic logs for at least three months. This retention period can be modified for your organization's needs.

Requirement: Control and manage physical access devices.

You need to maintain an inventory of all physical access devices (e.g., keys and key cards) that grant access to your facility and other secured areas (e.g., server room or wiring closet). Document which person has been given which physical access device including the date it was given to them and the date they turned it in. Only provide physical access devices to personnel who require regular access to your facility and are employed by your organization. Most remote employees do not need to be provided with physical access devices and only personnel with a valid business-need should have physical access devices that open server rooms, wiring closets, and other areas where sensitive equipment is kept. You need to collect physical access devices from terminated personnel.

Requirement: Protect and monitor the physical facility and support infrastructure for organizational systems.

The cheapest way to monitor physical access to your facility is using surveillance cameras. Other methods include hiring a security guard or using sensors however surveillance cameras are sufficient to meet the monitoring requirement in this security control.

To protect the physical facility you need to lock all entrances and exits to your facility including doors and windows. You need to lock server rooms, wiring closets, and other areas where support infrastructure such as power controls are located. You need to ensure that your server room is tidy, meaning that cables are properly secured so that they do not accidentally get unplugged by someone tripping over them.

Requirement: Enforce safeguarding measures for CUI at alternate work sites.

Alternate worksites refer to employee homes and client sites. You need to ensure that your CUI is protected at these alternate worksites. This can be accomplished by providing remote employees with encrypted laptops, preventing them from being able to print out documents (not a requirement), and making sure that their laptops have the same security requirements that regular company laptops have.