Your Guide to CMMC L1 Physical Controls

To protect our nation from perilous cyber-attacks the Department of Defense (DoD) and other stakeholders created a cyber compliance model called the Cybersecurity Maturity Model Certification (CMMC). This certification process includes a total of five levels that increase in complexity and total in 171 security requirements to reach the maximum level of compliance. For most, it is only necessary to meet Level 1 certification through a trusted C3PAO, a Third-Party Assessor Organization. Each 3CPAO is authorized to assess and certify your organization by the CMMC Accreditation Body.

Level 1 (L1) is the first out of five levels in certification for CMMC. Unlike levels 2-5 that protect controlled unclassified information (CUI), L1 protects federal contract information (FCI). Level 1 certification is not a documented process like the additional four levels but does contain processes and practices performed in an ad hoc manner. L1 signifies an organization has secured “Basic Cyber Hygiene” for their environment. There are a total of 6 domains, 9 capabilities, and 35 practices in L1. Out of these 6 domains, there is one catered to physical security. This domain is Physical Protection (PE), which includes one capability and 4 practices for L1.

Physical Protection (PE) capability for L1 certification requires limiting physical access. All employees, visitors, or authorized users have some type of controlled and monitored entry access. All equipment is either put in a secure location or monitored based on authorized access. All the practices referenced in this blog are from documentation NIST SP 800-171, Rev 2.

Limit physical access (C028) practices include: 

  • PE.1.131 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. 
  • PE.1.132 – Escort visitors and monitor visitor activity.  
  • PE.1.133 – Maintain audit logs of physical access. 
  • PE.1.134 – Control and manage physical access devices. 

Think about your physical space. It includes equipment like electronic devices, documents, networking devices, printers, computers, scanners, etc. All these items are vulnerable to theft and compromise your FCI. To protect them, you must have secure location practices set up with restricted access for employees and guests.  

There are many reasons you may have visitors on-site that have access to different equipment and monitoring their activities help keep your site secure. Anytime there is a guest allowed into your physical space there must be protocols in place and an audit log. An audit log allows you to monitor and document visitor activity.  

This part of the physical protection practice focuses on the actual documentation. Using audit logs is vital to meeting all the requirements in L1. There are options for how you want to audit, including digital or a simple sign-in and sign-out sheet, and of course the option of both. It is important to keep in mind that physical security and monitoring include facility access points and internal systems & system components.  

The last practice within the capability focuses on physical access devices including keys, locks, combinations, and card readers. This practice limits who can access physical equipment. 

GSec LLC is a trusted partner and an authorized third party that can help you navigate your way through your CMMC needs. Your cyber compliance is our top priority, and we are here to help guide you through your process. Check out some of our additional resources on CMMC and drop us a note with your questions so we can help you.  

Learn about what’s expected from you for CMMC certification

Understanding the Changing Landscape in Cybersecurity Compliance

Until recently, many government contractors working in the defense industrial base (DIB) were able to self-assess and verify the measures they were taking to be cyber compliant. Historically they had three levels of cybersecurity requisites to meet, and for the most part, were accepted off good merit. According to CMMC, DIB companies should continue to self-assess their cyber efforts, but they will also be required to report to Third Party Assessment Organizations (C3PAOs) for an official assessment and certification. Each carefully selected C3PAO has been vetted by a third-party organization, the CMMC-AB. This CMMC Accreditation Body will provide a neutral ground to help operationalize the CMMC through training, information resources, and accrediting all C3PAOs.  

The Defense Industrial Base (DIB) has suffered serious cybersecurity vulnerabilities in the last decade. It is estimated that the DIB loses up to 600 billion dollars a year in Controlled Unclassified Information (CUI) from IT networks and other information systems, not to mention the loss of trust that comes with it. With such susceptibility, the Department of Defense (DoD) has created a new cybersecurity framework and certification process. This new process, Cybersecurity Maturity Model Certification (CMMC) is set up to protect the entire DIB, and GSec LLC is prepared to answer your questions and provide you with CMMC information that will help guide you in your cyber compliance.  

As you may know, the DoD used conditions to the existing 110 security level requirements listed in DFARS 252.204-7012 and NIST 800-171 documentation. However, with the changes and the utilization of CMMC, there will now be extended security measures to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). There are a total of five levels in CMMC, with each increasing in complexity. While the first three levels that were already part of the cybersecurity plan mentioned above stay intact, there are now 171 security requirements in totality. Leveraging a trusted partner like GSec LLC to help you understand and navigate your CMMC process will help prepare you for your certification process.  

All the new measures put in place for DIB companies have both an economic and cultural effect. It may seem like a daunting task to meet the new required CMMC certifications, especially for a contractor who doesn’t fit into the world of IT. Additionally, this new CMMC action will impact nearly every sub-contractor in the ecosystem. Becoming educated and starting a cyber compliance process now will help you remain relevant in defense contracting and will allow for a more flexible cyber plan when your time comes to be certified.  

Ultimately, any organization that is planning to do business with the DoD must adhere to these new CMMC requirements which are already rolling out and due to be fully deployed by September 2025. Regardless of the decision to continue bidding on defense contracts, the idea of creating a more cyber-secure environment will only help improve your cyber ecosystem. The sense of urgency should intensify for any organization that wants to prevent cyber hazards and to maintain an impressive cyber plan. Any efforts taken to become compliant with new defense regulations will leave you more resilient and protected from any adversary.