Time
Reading Time
10 min read
Time
Chat
2 Comments

Implementing physical security controls is a critical component of safeguarding sensitive information. The NIST physical and environmental protection (PE) domain focuses on physical safeguarding practices. The first practice (3.10.1) is foundational to securing your facility. You should identify non-public spaces containing sensitive information or equipment. Develop and maintain a list of individuals authorized to access these non-public spaces. Limit access to non-public areas to only those authorized individuals. Issue credentials to verify authorized individuals accessing non-public spaces. This blog will discuss the following topics around 3.10.1:

A Brief History

NIST finalized special publication (SP) 800-171 in 2015. NIST kept the practice number of 3.10.1 through the first and second revisions. NIST SP 800-171 Revision 3 has changed this requirement's number to 03.10.01.

The cybersecurity maturity model certification (CMMC) rule will verify SP 800-171 Rev 2. CMMC 1.02 numbered this practice PE.1.131 then PE.L1-3.10.1 under CMMC 2.0. This practice applies to organizations seeking compliance within any level of CMMC.

As of December 2023, CMMC 2.1 created two numbers for this practice:

  • CMMC Level 2 uses the label PE.L2-3.10.1. PE identifies the physical protection domain. L2 identifies the applicability to CMMC Level 2. 3.10.1 references the original number from NIST SP 800-171 Rev 2.

Practice Statement

NIST derived SP 800-171 basic security requirements from FIPS 200. Below is the original language from FIPS 200:

Image Source: FIPS 200

NIST split this into several practices within SP 800-171. The first part became 3.10.1:

Image Source: NIST SP 800-171

Assessment Objectives

NIST SP 800-171A provides assessment procedures for each practice. Procedures apply one of three methods to assessment objects. The three methods include examining artifacts, interviewing personnel, and testing mechanisms. An assessor will check each part to determine a finding. Satisfied findings are acceptable implementations. Other than satisfied findings identify one or more anomalies.

The assessment objectives for 3.10.1 contains four parts:

Image Source: NIST SP 800-171A

NIST SP 800-53 Mapping

Image Source: Table D-1 NIST SP 800-171

Appendix D maps SP 800-171 security requirements to SP 800-53 Rev 4 controls. This mapping relates 3.10.1 to PE-2, PE-4, PE-5 and PE-6. The mapping also suggests the same relationship exists for 3.10.2. Since NIST derived this practice from FIPS 200, mapping it to SP 800-53 is more challenging.

We mapped these four objectives to the closest SP 800-53A Rev 5 objectives. NIST IR 8477 guidance helped define the nature and strength of the relationships. The findings indicated that:

  • PE.L1-3.10.1(a) is equal to PE-02a.[01]
  • PE.L1-3.10.1(b) is equal to PE-03(01)[01]
  • PE.L1-3.10.1(c) is equal to PE-03(01)[02]
  • PE.L1-3.10.1(d) is equal to PE-03a.[01]
Image Source: NIST SP 800-171 vs 800-53 Crosswalk

Analysis of Discussion

The CMMC Assessment Guide includes supplemental guidance from SP 800-53 Rev 4 (PE-2 and PE-5). 

Physical Access Authorizations

The CMMC guide derived part of the discussion from the supplemental guidance for PE-2. 

Image Source: NIST SP 800-53 Rev 4 [PE-2]

Access Control for Output Devices

The CMMC assessment guide replaced PE-5 references to output devices to equipment. The assessment guide also adds new examples to define equipment. This includes computing devices, external disk drives, networking devices, and audio devices. 

Image Source: NIST SP 800-53 Rev 4 [PE-5]

The CMMC Assessment Guide also provides a further discussion. This narrative includes actionable steps:

This addresses the company’s physical space. This includes their office, testing environments, equipment rooms, technical assets, and non-technical assets. Organizations should protect against unauthorized physical access. Limit access into specific environments to authorized employees. Control access with badges, electronic locks, physical key locks, etc.
Place output devices where their use does not expose data to unauthorized individuals. Develop and maintain lists of personnel with authorized access. Issue authorization credentials to personnel.

The CMMC Assessment Guide also provides an example:

You manage a DoD project that requires project team members to use special equipment [b,c]. You work with the facilities manager to put locks on the doors to the areas with this equipment [b,c,d]. You only issue project team members keys to the space. This restricts access to employees who work on the DoD project and need access to that equipment.

DoD Criticality

The NIST SP 800-171 DoD Assessment Methodology Version 1.2.1 assigns a 5-point value to this practice. Failing this practice may lead to data exfiltration or exploitation of the network. CMMC section 170.21(ii) removed this practice's eligibility for a limited deficiency. This practice aligns to the basic cybersecurity safeguards requirements of 52.204-21.

Scope of Applicability

NIST SP 800-53 Rev 5 appendix C discusses three implementation approaches:

  • (S) implemented by an information system through technical means
  • (O) implemented by an individual through nontechnical means
  • (O/S) implemented by an organization, system, or combination of the two

NIST defines the implementation of the corresponding SP 800-53 controls as:

  • PE-2 as (O) implemented by an individual through nontechnical means
  • PE-4 as (O) implemented by an individual through nontechnical means
  • PE-5 as (O) implemented by an individual through nontechnical means
  • PE-6 as (O) implemented by an individual through nontechnical means

The crosswalk suggests that 3.10.1 is an administrative control. We relate controls within the physical protection domain to facilities protecting sensitive information.

Inheritance

It is possible to inherit physical protection controls through external service providers. Organizations limiting sensitive information to cloud-environments may categorize their own facilities as out-of-scope. Organizations evaluating an inheritance strategy for this practice should consider:

  • Does the external service provider have an authorization (FedRAMP or Equivalent)?
  • Do you have a shared responsibility matrix from the external service provider?
  • Has the organization implemented controls to prevent printing of sensitive information?
  • Has the organization verified no hard copy FCI exists within the facility?

If you’re able to answer yes to these questions you may inherit this practice. Inheritance for Level 2 may depend on the facility protecting Security Protection Assets. SPAs provide security functions or capabilities to the CMMC Assessment Scope. SPAs should meet all CMMC security requirements. Thus, the presence of SPAs requires adherence to physical protection practices.

Implementation

Maintain a list of individuals with authorized access to non-public facilities (a)

This requires first identifying an authority delegated to provide the approval. Document the approval for each individual granted access to the facility. This list should include individuals with permanent physical access authorization credentials and visitors. 

The act of maintaining the list involves updating approvals and access privileges. This may occur when individuals change roles. Organizations should have a process to remove access for individuals that leave. NIST SP 800-171 Rev 3 requires defining a period of time to review the access list. 

The FedRAMP Moderate baseline defines this period as every 90 days.

Define non-public areas of the facility 

Organizations should define the protected physical spaces of their facilities. This includes rooms, offices, and other environments containing sensitive information. Place equipment with access to sensitive information in these secured areas. Create a diagram showing categorization of public and non-public areas of each facility. NIST SP 800-116 Rev 1 provides a notional example of what a facility scoping boundary might look like.

Image Source: NIST SP 800-116 Rev 1

Limit access to non-public areas

Restrict access to these spaces using electronic or physical key locks. The National Defense Information Sharing and Analysis Center helps defense partners enhance security. The ND-ISAC shared a link to a video discussing physical security control methods. This video suggests several door access control mechanisms, including:

  • Conventional - lock and key
  • Deadbolt - physical bolt
  • Electronic - key-less
  • Token-based - magnetic swipe card or proximity reader
  • Biometric - hand, fingers, or retina
  • Multi-factor - smart card and PIN

Organizations should determine the strength of the credentials used to access non-public areas. NIST SP 800-116 Rev 1 describes a risk-based approach. NIST categorized security areas based on the number of authentication factors. Confidence of the individual’s identity increases with the number of authentication factors.

Image Source: NIST SP 800-116 Rev 1 Table ES-1  

At least one authentication factor should protect controlled areas. A single factor may include something you have or something you know. It may also include something unique about the individual, such as their biometrics. Using a second factor protects access to limited areas. Using all three factors provides the highest confidence of the individual’s identity. Organizations may nest perimeters to protect localized high-value assets. 

Issue authorization credentials for facility access

Authorization credentials may include ID badges, identification cards, and smart cards. Credentialing procedures should encompass enrollment, replacement, and termination. Organizations should create an auditable sequence of events by documenting credentialing activities.

Continuous Monitoring Tasks

A continuous monitoring task verifies that controls produce their desired outcome(s). The practice 3.10.1 has two desired outcomes:

  • Identify authorized individuals allowed physical access.
  • Limit physical access to organization systems, equipment, and operating environments.

Maintaining an authorized personnel access list documents individual approvals. The authorized personnel access list should detail:

  • Unique identifiers issued to the individual
  • Official who authorized the issuance of the credential
  • Information about the authorized individual
  • Non-public facilities approved for access

Policy Statements

Account Management

  • HR develops and maintains an authorized personnel access list
  • HR documents credentialing enrollment, replacement, and termination activities

Facility Security

  • Facility Management defines non-public spaces within the facilities
  • Facility Management limits access to non-public spaces to credentialed individuals

Proposed Rev 3 Changes

NIST SP 800-171 Rev 3 aligns 03.10.01 with PE-2 from SP 800-53 Rev 5. There are six parts and one organization-defined parameter within the updated practice:

  • ODP - Define the frequency at which to review the access list.
  • A[01] - Develop a list of individuals with authorized access to the physical location. 
  • A[02] - Approve a list of individuals with authorized access to the physical location.  
  • A[03] - Maintain a list of individuals with authorized access to the physical location. 
  • B - Issue authorization credentials for facility access.
  • C - Review the physical access list <A.03.10.01.ODP[01] frequency>. 
  • D - Remove individuals from the physical access list when access is no longer required.

There is much greater emphasis on the authorized personnel access list. Six objectives trace back to the identification of authorized individuals allowed physical access. The crosswalk below shows the mapping of these requirements back to related parts of 3.10.1 from Revision 2:

Image Source: NIST SP 800-171 Rev 3 Crosswalk Calculator

Conclusion

This practice involves more than locking your doors. This practice also assesses their placement and who can unlock them. Establish non-public areas where sensitive information and equipment resides. Secure those areas to prevent unauthorized access. Review the list of authorized individuals on a scheduled frequency. Make changes to that list as individuals change roles or leave the organization. Issue credentials that verifies the identity of authorized individuals. Determine the types of access control devices and credentials using a risk-based approach.

Related Posts

Implementing 3.1.2 from NIST SP 800-171 Rev 2

Aug 22, 2024
If 3.1.1 authorizes access to the system, 3.1.2 authorizes permissions within the system. The rules of chess, for example, limit the types of functions allowed for each piece...
Read More
10 min read

Implementing 3.1.22 from NIST SP 800-171 Rev 2

Aug 22, 2024
Organizations should prevent the release of nonpublic information on systems accessible to the public. Systems accessible to the public include websites and social media...
Read More
10 min read

Implementing 3.5.1 from NIST SP 800-171 Rev 2

Aug 22, 2024
Identifying accounts and devices is foundational to creating a secure and accountable system. Accounts may have assignments to people and non-person entities...
Read More
10 min read

Start your GRC journey today

Discover how K2 GRC can simplify compliance and enhance your organization's governance and risk management.