• Ignyte CMMC Specialist


Physical security is normally just confined to data-centers and/or locations where IT is stored physically. However, it can also refer to where employees hang out and work.

Why hack into something when you can just walk in and take it? The path of least resistance is often preferred when attempting to steal something. Physical security is often overlooked because in this day and age, who is going to steal information through dumpster diving? There are several articles on the web about not letting your trash become someone else treasure.

So if you are managing CUI as a small company, you should practice the same controls you may have for managing ITARs environment physically. If you are a defense company, you are already familiar with the role of FSO (Facilities Security Officer). The FSO role normally ensures team members have proper security clearances through JPAS and they are also assigned maintenance of audit logs, physical access, etc.. These administrative checks behind your physical security program are more important than having someone physically monitor your environment through a camera system.

The last section (3.10.6) of this family also calls out safeguards for alternate worksites such as telework. Telework security after COVID-19 is going to be a critical issue in managing a remote and secure workforce.

Physical Protection

3.10.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

This requirement applies to organizational employees, individuals with permanent physical access authorization credentials, and visitors.

Authorization credentials include:

  • Badges

  • Identification cards

  • Smart cards

Organizations determine the strength of authorization credentials needed consistent with:

  • Applicable laws

  • Directives

  • Policies

  • Regulations

  • Standards Procedures

  • Guidelines

This requirement applies only to areas within facilities that have not been designated as publicly accessible.

Limiting physical access to equipment may include:

  • Placing equipment in locked rooms or other secured areas

  • Allowing access to authorized individuals only

  • Placing equipment in locations that can be monitored by organizational personnel

Equipment examples:

  • Computing devices

  • External hard disk drives

  • Networking devices

  • Monitors Printers

  • Copiers

  • Scanners, Facsimile machines

  • Audio Devices

3.10.2 Protect and monitor the physical facility and support infrastructure for those information systems.

Monitoring of physical access includes publicly accessible areas within organizational facilities.

Security safeguards applied to the support infrastructure prevent

  • Accidental damage

  • Disruption

  • Physical tampering eavesdropping

  • Modification of unencrypted transmissions.

Safeguards used to control physical access to support infrastructure include

  • Locked wiring closets

  • Disconnected or locked spare jacks

  • Protection of cabling by conduit or cable trays

  • Wiretapping sensors

3.10.3 Escort visitors and monitor visitor activity.

This requirement applies to employees and visitors.

Organizations determine the types of facility guards needed including, for example, professional security staff or administrative staff or system users.

Physical access control systems comply with applicable laws, Executive Orders, directives, policies, regulations, and standards.

Audit logs can be used to monitor visitor activity.

3.10.4 Maintain audit logs of physical access.

Organizations have flexibility in the types of audit logs employed.

Audit logs can be procedural, automated, or some combination thereof.

Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both.

3.10.5 Control and manage physical access devices.

Physical access devices include

  • Keys

  • Locks

  • Combinations

  • Card Readers

3.10.6 Enforce safeguarding measures for CUI at alternate worksites (e.g., telework sites).

Alternate work sites may include

  • Government facilities

  • Private residences of employees

Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites.

NIST Special Publications 800-46 and 800-114 provide guidance on enterprise and user security when teleworking.

For further Information and Demo, please contact us:

  • LinkedIn
  • Facebook
  • Twitter
  • Instagram
  • YouTube
  • Pinterest | 1.833.IGNYTE1 


Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Generic disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner is a registered trademark and service mark of Gartner, Inc. and/or of its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved

Igntye © 2020 All Rights Reserved. Ignyte Assurance Platform, Privacy Policy and Terms of Service.