PE.1.133 marks the third practice within the Domain, Physical Security, and Capability, Limit physical Access. Where the first two practices within PE were focused on limiting access to systems and individuals, this Practice focuses on the documentation process of how you limit access: Using audit logs. As the content below explains, it is not necessary to always use a written ledger to track sign-in’s and sign-out’s from your facility. These occurrences could also be tracked using a key card access log. On the other hand, your system is not required to be all digital. Your sign-in/sign-out process could be as simple as a sign-in/sign-out sheet at the entrance to your facility where visitors sign-in with their name and the date/time they entered the facility and sign out as they depart the facility. Here is the content (Page B-151 of the Appendix B, page 191 of the PDF) from CMMC V1.02, Appendix B:
PE.1.133 – Maintain Audit Logs of Physical Access
Discussion from Source: NIST SP 800-171, R2
Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility ), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components ( e. g., work stations, notebook computers ) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.
CMMC clarification
Make sure you have a record of who is accessing both your facility (e.g., office, plant, factory ) and your equipment. You can do this in writing by having employees and visitors sign in and sign out as they enter and leave your physical space, and by keeping a record of who is coming and going from the facility.
Example
You and your coworkers like to have friends and family join you for lunch at the office on Fridays. Your small company is growing, and sometimes it’s hard to know who is coming and going from the lunch area. You work with your boss, the company founder, and ask all non-employees to sign in at the reception area, then sign out when they leave. Employees can have badges or key cards that enable tracking and logging access to the company facilities.
We will move to the fourth Practice within the Domain Physical Security in our next entry.
Until then…
Mark Lupo, MBCP, SMP