In this CMMC Level 1 certification article, we address two security domains that are applicable to CMMC Level 1 Certification (for v2.0), namely Physical Security (PE), and Media Protection (IA). Check out Cyber AB’s CMMC guidelines for further information here.
Have you read the CMMC Level 1 Certification Steps (Part 1)? Read it here
What are the CMMC Level 1 certification requirements for MP and PE domains?
Table of Contents
MP.L1-3.8.3: Media Disposal
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
Consideration factors:
Contractors seeking for CMMC Level 1 certifications should be in a position of answering “Yes” for the following question:
Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure that no usable data is retrievable?
Expectations to meet this requirement:
Any media, such as computer hard-drive, mobile device, flash drive, CDs/DVDs, as well as documents containing FCI must be erased, encrypted, shredded, or destroyed before they are disposed or recycled. Demonstrated process to show one of the accepted sanitization methods is used in the organization:
- Crushing and destroying the media module
- Encrypting the data inside with a long (16+ character) key
- Overwriting the data many times using a special program
- Degaussing the media module
- Shredding the documents and CD/DVD with cross-cut shredders
PE.L1-3.10.1: Limit Physical Access
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Consideration factors:
Contractors seeking for CMMC Level 1 certifications should focus on physical access to facility, machines, equipment, and system components which can store, process or generate FCI.
Expectations to meet this requirement:
- List of personnel, including contractors and vendor employees who access your facility, is developed and facility access credentials are issued.
- The areas where FCI is handled are identified and marked accordingly.
- Physical security protection methods are in place, such as guards, locks, cameras, and card readers to limit the access to sensitive areas. Only those who are identified and authorized can access with their own badges/key cards/keys.
- FCI processing/handling machines (computers, laptops, operating machines, servers, network appliances) and printers are all located inside the protected areas. If printer is outside of the secured area, its use must be initiated by an authorized person after login (i.e., on-demand encrypted printing). No FCI should be sent to a printer for an instant printing if the printer is outside of the protected area.
- Doors to protected/secure areas are self-closing and locking.
- No network wiring passes through the unsecured areas.
PE.L1-3.10.3: Escort Visitors
Escort visitors and monitor visitor activity.
Consideration factors:
Contractors seeking for CMMC Level 1 certifications should be in a position of answering “Yes” for the following questions:
- Are personnel required to accompany visitors to areas in a facility with physical access to organizational systems?
- Are visitors clearly distinguishable from regular personnel?
- Is visitor activity monitored (e.g., use of cameras or guards, reviews of secure areas upon visitor departure, review of visitor audit logs)?
Expectations to meet this requirement:
- Demonstrated process of visitors being escorted.
- Visitors are given a different color or type of badge to distinguish them, and their use of the badge is enforced.
- A visitor log exists with a necessary information captured, such as their names, contact information, company worked, visited person name, time in/out.
- Visitor activity is further monitored with cameras and/or guards.
PE.L1-3.10.4: Physical Access Logs
Maintain audit logs of physical access.
Consideration factors:
You should be in a position of answering “Yes” for the following questions:
- Are logs of physical access to sensitive areas (both authorized access and visitor access) maintained per retention requirements?
- Are visitor access records retained for as long as required?
Expectations to meet this requirement:
- A visitor log exists with minimally necessary information captured, such as names, company worked, visited person name, time in/out. Visitor logs are retained per company record retention policy, which should typically be not less than a year.
- In addition to visitor access, all access to the secure areas must be logged by the access control devices and logs are retained in a secure place for the retention period.
PE.L1-3.10.5: Manage Physical Access
Control and manage physical access devices.
Consideration factors:
You should be in a position of answering “Yes” for the following questions:
- Is the inventory of physical access devices maintained (e.g., keys, facility badges, key cards)?
- Is access to physical access devices limited (e.g., granted to, and accessible only by, authorized individuals)?
- Are physical access devices managed (e.g., revoking key card access when necessary, changing locks as needed, maintaining access control devices and systems)?
Expectations to meet this requirement:
- An inventory of physical access devices, such as keys, badges, and key cards.
- A secure location for keys, badges, and keycards where access is authorized only to identified persons.
- A process outlining how the access devices are maintained and updated, period of updates, etc. Electronic keycards are considered one of the best as regular keys will need to be changed when an employee/contractor leaves..
Comments are closed