Implementing 3.10.3, 3.10.4, and 3.10.5 from NIST SP 800-171 Rev 2

Have you ever wondered why CMMC Level 1 had 17 requirements but now only has 15? 

NIST SP 800-171 derived three requirements from this part of FIPS 200. The Federal Acquisition Regulation derived one practice from this part of FIPS 200. CMMC Level 1 now reverts back to the FAR 52.204-21 basic requirements. This practice is still split into three requirements for CMMC Level 2. We elected to cover this group of requirements at the same time. This blog will discuss the following topics around 3.10.3, 3.10.4, and 3.10.5:

• A Brief History
• Practice Statement
• Assessment Objectives
• NIST SP 800-53 Mapping
• Analysis of Discussion
• DoD Criticality
• Scope of Applicability
• Inheritance
• Implementation
• Continuous Monitoring Tasks
• Policy Statements
• Proposed Rev 3 Changes

NIST finalized special publication (SP) 800-171 in 2015. NIST kept the practice numbers of 3.10.3, 3.10.4, and 3.10.5 through the first and second revisions. NIST SP 800-171 Revision 3 combines these requirements into 03.10.07.

The cybersecurity maturity model certification (CMMC) rule will verify SP 800-171 Rev 2. CMMC 1.02 numbered these practices PE.1.132, PE.1.133, and PE.1.134. CMMC 2.0 numbered these practices  PE.L1-3.10.3, PE.L1-3.10.4, and PE.L1-3.10.5. These practices apply to organizations seeking compliance within any level of CMMC.

As of December 2023, CMMC 2.1 created two numbers for this practice:

• CMMC Level 1 combines these three requirements into PE.L1-B.1.IX. Section b(ix) references the Federal Acquisition Regulation (FAR) clause 52.204-21.

• CMMC Level 2 maintains three separate requirements. This includes PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5. PE identifies the physical protection domain. L2 identifies the applicability to CMMC Level 2. 3.10.3, 3.10.4, and 3.10.5 reference the original numbers from NIST SP 800-171 Rev 2.

NIST derived 3.10.3 from SP 800-53 Rev 4 (PE-3):

NIST split up this control into three practices within SP 800-171. Part (d) from PE-3 became the basis of 3.10.3. Part (b) became the basis of 3.10.4. NIST consolidated parts (e, f, and g) into 3.10.5.

NIST SP 800-171A provides a set of assessment procedures for each practice. Procedures apply three methods of assessing objects. These methods include examining artifacts, interviewing personnel, and testing mechanisms. An assessor will look at each part to determine a finding. Satisfied findings are acceptable implementations. Other than satisfied findings identify one or more anomalies.

The assessment objectives for 3.10.3 contains two parts:

The assessment objectives for 3.10.4 contains a single part:

The assessment objectives for 3.10.5 contains three parts:

Appendix D maps SP 800-171 security requirements to SP 800-53 Rev 4. This mapping relates 3.10.3, 3.10.4, and 3.10.5 to PE-3. 

We mapped these two objectives to the closest SP 800-53A Rev 5 objectives. NIST IR 8477 guidance helped define the nature and strength of the relationships. The findings indicated that:

• PE.L1-3.10.3(a) is equal to PE-03d.[01]
• PE.L1-3.10.3(b) is a superset of PE-03d.[02] (moderate strength)
• PE.L1-3.10.4(a) is a superset of PE-03b (strong relationship)
• PE.L1-3.10.5(a) is a subset of PE-03f (strong relationship)
• PE.L1-3.10.5(b) is a superset of PE-03e.[01], PE-03e.[02], and PE-03e.[03] (strong relationship)
• PE.L1-3.10.5(c) is a superset of PE-03g.[01] and PE-03g.[02] (strong relationship)

The CMMC Assessment Guide includes supplemental guidance from SP 800-53 Rev 4 (PE-3). 

Physical Access Control

The discussion for 3.10.3 includes a sentence derived from the supplemental guidance of PE-3. The CMMC Assessment Guide added the following narrative in support of escorting visitors:

Organizations may monitor visitor activity using audit logs.

The discussion for 3.10.4 also draws on the supplemental guidance of PE-3. The tailoring of the supplemental guidance did not change its scope or meaning.

The brief discussion for 3.10.5 comes from a sentence within the supplemental guidance of PE-3.

The CMMC Assessment Guide also provides a further discussion for each practice. The actionable steps for 3.10.3 include:

‍Do not allow visitors, even those people you know well, to walk around your facility without an escort. Make sure that all non-employees wear special visitor badges. Escort visitors by an employee at all times while on the property.

The further discussion for 3.10.4 reads:

Make sure you have a record of who accesses your facility (e.g., office, plant, factory). You can do this in writing by having employees and visitors sign in and sign out. You may also use electronic means such as badge readers. Whatever means you use, you need to keep the access records for the period that your company has defined.

The further discussion for 3.10.5 reads:

Identifying and controlling physical access devices is important. It is as important as monitoring and limiting who is able to access equipment. You should know who has them and what access they allow. Manage physical access devices using manual or automatic processes. This includes a list of who has what key, or updating the badge access system as personnel change roles.

The CMMC Assessment Guide also provides examples. The example provided for 3.10.3 states:

Coming back from a meeting, you see the friend of a coworker walking down the hallway near your office. You know this person well and trust them, but are not sure why they are in the building. You stop to talk, and the person explains that they are meeting a coworker for lunch. They cannot remember where the lunchroom is. You walk the person back to the reception area to get a visitor badge. You wait until someone can escort them to the lunch room [a]. You report this incident. The company decides to install a badge reader at the main door so visitors cannot enter without an escort [a].

The example provided for 3.10.4 states:

You and your coworkers like to have friends and family join you for lunch at the office on Fridays. Your company has signed a contract with the DoD. You now need to document who enters and leaves your facility. You work with the receptionist to ensure that all non-employees sign in at the reception area. They also sign out when they leave [a]. You keep those paper sign-in sheets in a locked filing cabinet for one year. Employees receive badges or key cards to track and log access to company facilities.

The example provided for 3.10.5 states:

You are a facility manager. A team member retired today and returned their company keys to you. The project they work on requires access to areas that contain equipment with FCI. You receive the keys and check your records against the serial numbers on the keys. You ensure retrieval of all keys, and mark each key returned [c]. 

The NIST SP 800-171 DoD Assessment Methodology Version 1.2.1 assigns a 1-point value for each practice. Failure may lead to a limited or indirect effect on the security of the network and its data. CMMC section 170.21(iii) removed this practice's eligibility for a limited deficiency. This practice aligns to the basic cybersecurity safeguards requirements of 52.204-21.

NIST SP 800-53 Rev 5 appendix C discusses three implementation approaches:

• (S) implemented by an information system through technical means
• (O) implemented by an individual through nontechnical means
• (O/S) implemented by an organization, system, or combination of the two

NIST defines the implementation of the corresponding SP 800-53 controls as:

• PE-3 as (O) implemented by an individual through nontechnical means

The crosswalk suggests that 3.10.3, 3.10.4, and 3.10.5 are administrative controls. We related controls within the physical protection domain to facilities protecting sensitive information.

It’s possible to inherit physical protection controls through external service providers. Organizations limiting sensitive information to cloud-infrastructure may categorize their own facilities as out-of-scope. Consider the following when evaluating an inheritance strategy for these practices:

• Do the external service providers have authorizations (FedRAMP or Equivalent)?
• Is there a shared responsibility matrix from the external service provider?
• Has your organization implemented controls to prevent printing of sensitive information?
• Has your organization verified no hard copy FCI exists within the facility?

You may inherit this practice if you’re able to answer yes to these questions. Level 2 inheritance may depend on the facility protecting Security Protection Assets. SPAs provide security capabilities or functions to the CMMC Assessment Scope. SPAs must meet all CMMC security requirements. The presence of SPAs requires adherence to physical protection practices.

Enforce physical access authorizations

Identify entry and exit points where the information system resides. Verify individual access authorizations before granting access to the facility. Control the flow into and out of the facility. Use physical access control devices or guards. 

Maintain physical access audit logs

Audit logs should include a log of individuals accessing the facility. Audit logs should also include when such access occurred. Access control systems using access cards may automate the collection of these logs. Define the period of time you will maintain logs for. The FedRAMP Moderate baseline suggests reviewing logs every month [PE-6(b)-1 and PE-8(b)]. The FedRAMP Moderate baseline suggests keeping visitor logs for a period of one year [PE-8(a)].

Escort visitors and monitor visitor activity

Prevent visitors from accessing non-public areas without an escort. Train staff assigned to escort visitors to identify security threats. Train general staff to report unaccompanied visitors in the facility. Individuals with permanent physical access authorizations are not considered visitors.

Inventory physical access devices

Physical access devices include keys, locks, combinations, biometric readers, and card readers. Specify a frequency to inventory physical access devices. The FedRAMP Moderate baseline suggests at least a yearly inventory [PE-3(f)-2].

Secure physical access devices

Change combinations and keys on a defined frequency. Change combinations and keys in response to lost keys or compromised combinations. Change combinations after transfer or termination of employees with the combination. The FedRAMP Moderate baseline suggests a yearly change of combinations [PE-3(f)-2]. The baseline also recommends changing keys or combinations after a security related event.

Control access to output devices

Output devices include monitors, printers, scanners, fax machines, audio devices and copiers. Place output devices in locked rooms or other secured areas. Limit access to these areas to authorized individuals. When locating output devices in public areas, keep watch over them using personnel. Use screen filters for monitors located in public areas. Use headphones for audio devices located in public areas.

A continuous monitoring task verifies that controls produce their desired outcome(s). Consider the following relevant outcomes of these practices:

• Escort visitors and monitor their activity
• Maintain audit logs of physical access
• Identify, control, and manage physical access devices

Maintain an authorized personnel access list as a prerequisite to reviewing access logs. 

Review physical access logs to areas not accessible to the public. The FedRAMP Moderate baseline requires at least a monthly review of visitor logs. 

Update system component inventory to include physical access devices and output devices. The FedRAMP Moderate baseline requires updating the inventory monthly or when components change.

Develop and Maintain a Maintenance Log to include physical access devices. Change combinations or locks at a set frequency or following defined events. Document these changes in the maintenance log.

Facility Security

• Facility Management maintains audit logs of individuals accessing non-public spaces.
• Facility Management ensures escorting of visitors at all times in non-public spaces.
• Facility Management maintains an inventory of physical access control systems.
• Facility Management manages physical access devices by:
  • Changing locks in response to lost keys
  • Changing combinations in response to compromised combinations
  • Changing combinations in response to transfer or termination of employees
• Facility Management limits the placement of output devices to non-public space

NIST SP 800-171 Rev 3 aligns 03.10.07 with PE-3 and PE-5 from SP 800-53 Rev 5. There are seven parts and one organization-defined parameter within the updated practice:

• A[01] - Enforce physical access authorizations at entry and exit points.  Verify individual physical access authorizations before granting access.
• A[02] - Encore physical access authorizations at entry and exit points. Control ingress and egress with physical access control systems, devices, or guards.
• B - Maintain physical access audit logs for entry or exit points
• C[01] - Escort visitors
• C[02] - Control visitor activity
• D- Secure keys, combinations, and other physical access devices
• E - Control access to output devices to prevent unauthorized access to CUI.

The crosswalk below shows the mapping of this practice to related parts of 3.10.3, 3.10.4, and 3.10.5 from Revision 2:

Conclusion

These requirements supplement the practice of limiting physical access to authorized individuals. Enforcing physical access authorizations means verifying the identities of individuals accessing the facility. This may entail the use of physical access control devices.  Establishes a process to inventory these devices. Securing physical access control devices may involve changing combinations or locks. This should occur in response to lost keys or changes in personnel. Locate output devices, including printers or monitors, in non-public spaces. Maintaining access logs is foundational to establishing accountability, monitoring, and incident response capabilities. Escorting and monitoring visitors mitigates insider threats and safeguards sensitive information.