How should I handle Physical Protection [PE]

old.reddit.com / @/u/MiniFridge101, https://old.reddit.com/user/MiniFridge101

I am working at a very small DoD subcontracting company with 13 employees, only 5 of which work out of our office. I am curious how hardcore I need to go with our security to pass the CMMC audit.

The office has a compact layout with one main door in the center and a second door on the other side that open up to 5 tight rooms. It is located in a medium-sized building with 10ish other small businesses. There is a server closet, and we store barely any physical documents.

3.10.1, Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

  • Is it enough to have a code lock on the doors? We have a key lock on the server room and locked file cabinets incase we would ever have physical CUI documents.

    3.10.2, Protect and monitor the physical facility and support infrastructure for organizational systems.

  • The company that we rent our office from has almost no security. During business hours it is fully open with no one watching the doors. I assume we need cameras watching our two doors from the outside but do we also need anything inside

    3.10.3, Escort visitors and monitor visitor activity.

  • We never have visitors but I will write up a policy for how to handle it (including escorting and monitoring)

    3.10.4, Maintain audit logs of physical access.

  • Because we use a code lock and not any sort of badge, this may be a problem. Will we need to switch to some sort of lock that can track how gains access.

    3.10.5, Control and manage physical access devices.

  • This this I am unsure on. I assume that if we would switch to badges that this would then apply to keeping track of those badges and how has them but if we do not then would this all be "Not Applicable"?

    3.10.6, Enforce safeguarding measures for CUI at alternate work sites.

  • I am also unsure on this. Most of our employees currently do work offsite at large companies like NASA and Boeing. Would this requirement be met by pointing to the security practices of those companies?

Thank you so much if anyone was willing to read through all of this and provide be with any amount of guidance.

submitted by /u/MiniFridge101
[link] [comments]

published about 6 hours ago


Previous

How would this be classified?
published about 7 hours ago

Next

See all items from the same source