Practice PE.L1-3.10.3 Details

From CMMC Toolkit Wiki
Revision as of 23:11, 23 February 2022 by Wikiadmin (talk | contribs) (Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 1 Self-Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == PE.L1-3.10.3 – ESCORT VISITORS == === SECURITY REQUIREMENT === Escort visitors and monitor visitor activity. === ASSESSMENT OBJECTIVES === Determine if:...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Source of Reference: The official CMMC Level 1 Self-Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

PE.L1-3.10.3 – ESCORT VISITORS

SECURITY REQUIREMENT

Escort visitors and monitor visitor activity.

ASSESSMENT OBJECTIVES

Determine if:

[a] visitors are escorted; and
[b] visitor activity is monitored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

Examine

[SELECT FROM: Physical and environmental protection policy;procedures addressing physical access control;system security plan;physical access control logs or records;inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices;physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; other relevant documents or records].

Interview

[SELECT FROM: Personnel with physical access control responsibilities; personnel with information security responsibilities].

Test

[SELECT FROM: Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices].

DISCUSSION

Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity.

FURTHER DISCUSSION

Do not allow visitors, even those people you know well, to walk around your facility without an escort. Make sure that all non-employees wear special visitor badges and/or are escorted by an employee at all times while on the property.

Example

Coming back from a meeting, you see the friend of a coworker walking down the hallway near your office. You know this person well and trust them, but are not sure why they are in the building. You stop to talk, and the person explains that they are meeting a coworker for lunch, but cannot remember where the lunchroom is. You walk the person back to the reception area to get a visitor badge and wait until someone can escort them to the lunch room [a]. You report this incident and the company decides to install a badge reader at the main door so visitors cannot enter without an escort [a].

Potential Assessment Considerations

  • Are personnel required to accompany visitors to areas in a facility with physical access to organizational systems [a]?
  • Are visitors clearly distinguishable from regular personnel [b]?
  • Is visitor activity monitored (e.g., use of cameras or guards, reviews of secure areas upon visitor departure, review of visitor audit logs) [b]?

KEY REFERENCES

  • FAR Clause 52.204-21 Partial b.1.ix
  • NIST SP 800-171 Rev 2 3.10.3