(Just FYI: This post is intended to help familiarize your business with information related to CMMC certification. Always check with your Certified Third-Party Assessment Organization (C3PAO) to ensure any changes you make align with necessary compliance standards!)
Manufacturers seeking contracts with the Department of Defense (DoD) must meet stringent security protocols to align with CMMC requirements, including clear documentation of steps they take to maintain physical security at facilities.
CMMC – Cybersecurity Maturity Model Certification – is a program implemented by the DoD and based on the controls in NIST SP 800-171 guidelines to ensure that any manufacturing contractors and subcontractors are taking clear and well-documented steps to safeguard governmental data, including Controlled Unclassified Information (CUI).
While the primary focus of CMMC compliance naturally lies in cybersecurity and digitally protecting the information your business collects, stores, and transmits, there are also specific CMMC Physical Security (PE) requirements that you should take to physically secure any sensitive government information you handle.
These rules include procedures for restricting physical access to areas where you store CUI, documenting authorized access to secure areas via tools like key fobs and badge readers, and ensuring that all facility visitors are escorted throughout your premises so they cannot see or steal sensitive information during their visit.
Your company must have a clear and well-documented process for each Physical Security control if you want to achieve full CMMC certification and secure government contracts. Here are 10 concrete steps you can take to begin meeting each PE requirement:
- Identify Your CUI
The first step to meeting Physical Security protocols for CUI is identifying all areas and devices within your facility that handle any in-scope CUI data. This will go beyond just data servers or hard drives:
- Do you need to show any CUI on production floor screens?
- Will you be printing drawings or documents containing CUI, and are those printers in a secure area or accessible to anyone in the building?
- Are there specific production areas within the facility where employees handle printed drawings with CUI?
Conducting a thorough review of any physical spots where you could find CUI before moving on to step 2 will ensure nothing falls through the cracks when assessors arrive.
- Consolidate CUI
Once you’ve identified any CUI your business handles and must protect, consolidate where that data is stored and can be accessed. The smaller the area where your business uses CUI, the easier it is to build a physical security system.
For example, if you need screens projecting drawings with CUI for production, consider placing all of those screens in the same internal room where you can limit access and ensure visitors can’t inadvertently see that protected information. If you have employees who work at remote sites or from home and need to access CUI on their devices, you will need protocols to encrypt and track the use of any off-site devices.
- Limit Physical Access to Any CUI
Once you have outlined a specific area where your facility handles CUI, document the procedures your company will take to physically secure that area within your facility. This could mean requiring badges or special keys to enter CUI areas or employee policies to lock all protected documents inside a specific cabinet at the end of each day.
You’ll need a clearly outlined access policy to present to assessors that shows you’ve taken every necessary step to ensure only authorized and trained employees can obtain CUI within your facility.
- Document Access Tools
Once you have outlined the secure areas where your facility will handle CUI and the methods you use to protect them—whether key fobs, badges, or code locks—you need clear processes for distributing and tracking those access methods: keep precise documentation of which employees have what keys, protocols for retrieving or deactivating keys or codes in case of employee turnover, or two-factor methods for cycling lock codes to sensitive areas.
- Log Secure Area Entry and Exits
Securing sensitive areas with locks and monitors isn’t enough — CMMC also requires a comprehensive audit log of anyone who has accessed protected CUI areas, the amount of time they were there, and the reason they needed that access. Whether that means providing authorized employees with trackable RFID badges or unique lock codes, you need to know precisely which employees were in a server room at a specific time and that they had a valid reason to be in contact with sensitive government data.
Using a visitor management system (VMS) to require digital check-in at key access points within your facility, like front desks and loading docks, helps build an audit log of who has entered your facility, the purpose of their visit, and the time of their departure. If you have a designated CUI area, create a second layer of protection by placing that digital check-in at the entrance for that area.
- Implement Identification Verification
While you can log the unique use of key fobs and employee codes, you will also need a way to visually verify that people using those access tools are who they say they are and prevent bad actors from infiltrating your facility’s CUI areas. Required photo badges and biometric scanners help your employees quickly confirm that everyone dealing with CUI is authorized. Setting up a secure video monitoring system around the doors and access points for sensitive areas also helps confirm an auditable record of employee access for CMMC assessors.
- Track Any Changes to Your Access System
Does your access control system maintain a record of who accesses or changes the software? You will need a secure record of that system, including lock codes, security cameras, facility visit logs, and any new changes to people who can view or change settings. Implement stringent access controls like SSO and multi-factor authentication, and choose access management software that requires anyone making edits to input a unique employee code so you can directly trace any new protocols.
- Define Unique Visitor Types and Access Protocols
Certain non-personnel, including maintenance and janitorial workers, will need to visit your facility regularly. Define these types of visitors and ensure transparent processes are in place to handle their access to sensitive areas. You may require employees to set trash outside protected rooms at certain times or set a schedule to supervise cleaning staff at all times. Maintenance contractors who work on non-protected servers or production lines will not need the exact clearance or training as those who do.
- Escort Procedures
Non-authorized personnel will need to visit your facility and, per CMMC protocols, must be escorted at all times when they are on your premises. Anyone your business has not extensively vetted ahead of time should be viewed as a potential security risk and threat to your information safety procedures.
Marking visitors and non-authorized personnel clearly with badges helps ensure they cannot access secure areas inside your facility. In the rare case that they may end up unattended, this quickly alerts your staff to the security vulnerability and the need to assign them a supervisor. A digital visitor management system (VMS) can help save your employees’ time and automate the badge printing process using the information guests provide when they access your facility. You can set up your VMS to print different badges for authorized contractors vs. visitors, so you know exactly who should have an escort in a single glance.
- Build a Role-Based Training Program
Once you have a well-defined outline of all the types of employees and visitors who may enter your facilities, it’s time to establish a role-based training program for each type of personnel that outlines information security responsibilities for each role.
Any employee directly handling CUI will need to undergo the specific mandatory DoD CUI training course. However, you must also consider personnel who may still need access to sensitive areas while not dealing directly with CUI. While they won’t need the same stringent training, you must provide them with guidelines on protecting access methods (fobs, badges, etc.) and ensuring CUI cannot physically leave the premises.
Ready to take concrete steps towards maintaining CMMC Physical Security protocols to achieve certification and lucrative government contracts? If you’re still relying on paper logbooks and outdated processes to track visitors and access at your facility, you risk failing key protocols. Receptful is a digital solution that helps global enterprise manufacturers secure access points and monitor employees and guests across all of their facilities.
Join an upcoming product tour to see how Receptful can help your business meet key CMMC Physical Security protocols by digitally logging every individual who enters and exits your facilities, ensuring necessary visitors receive documented escorts, printing custom badges, and more.
