Your Guide to CMMC L1 Physical Controls

To protect our nation from perilous cyber-attacks the Department of Defense (DoD) and other stakeholders created a cyber compliance model called the Cybersecurity Maturity Model Certification (CMMC). This certification process includes a total of five levels that increase in complexity and total in 171 security requirements to reach the maximum level of compliance. For most, it is only necessary to meet Level 1 certification through a trusted C3PAO, a Third-Party Assessor Organization. Each 3CPAO is authorized to assess and certify your organization by the CMMC Accreditation Body.

Level 1 (L1) is the first out of five levels in certification for CMMC. Unlike levels 2-5 that protect controlled unclassified information (CUI), L1 protects federal contract information (FCI). Level 1 certification is not a documented process like the additional four levels but does contain processes and practices performed in an ad hoc manner. L1 signifies an organization has secured “Basic Cyber Hygiene” for their environment. There are a total of 6 domains, 9 capabilities, and 35 practices in L1. Out of these 6 domains, there is one catered to physical security. This domain is Physical Protection (PE), which includes one capability and 4 practices for L1.

Physical Protection (PE) capability for L1 certification requires limiting physical access. All employees, visitors, or authorized users have some type of controlled and monitored entry access. All equipment is either put in a secure location or monitored based on authorized access. All the practices referenced in this blog are from documentation NIST SP 800-171, Rev 2.

Limit physical access (C028) practices include: 

  • PE.1.131 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. 
  • PE.1.132 – Escort visitors and monitor visitor activity.  
  • PE.1.133 – Maintain audit logs of physical access. 
  • PE.1.134 – Control and manage physical access devices. 

Think about your physical space. It includes equipment like electronic devices, documents, networking devices, printers, computers, scanners, etc. All these items are vulnerable to theft and compromise your FCI. To protect them, you must have secure location practices set up with restricted access for employees and guests.  

There are many reasons you may have visitors on-site that have access to different equipment and monitoring their activities help keep your site secure. Anytime there is a guest allowed into your physical space there must be protocols in place and an audit log. An audit log allows you to monitor and document visitor activity.  

This part of the physical protection practice focuses on the actual documentation. Using audit logs is vital to meeting all the requirements in L1. There are options for how you want to audit, including digital or a simple sign-in and sign-out sheet, and of course the option of both. It is important to keep in mind that physical security and monitoring include facility access points and internal systems & system components.  

The last practice within the capability focuses on physical access devices including keys, locks, combinations, and card readers. This practice limits who can access physical equipment. 

GSec LLC is a trusted partner and an authorized third party that can help you navigate your way through your CMMC needs. Your cyber compliance is our top priority, and we are here to help guide you through your process. Check out some of our additional resources on CMMC and drop us a note with your questions so we can help you.