By Melissa McCoy, Chief Information & Security Officer – CISSP-ISSAP, CCSP, RP

Understanding CMMC Physical Security Controls

Of the many non-technical controls in NIST SP800-171, physical security controls are the most obvious. Whether you have a corporate or home office, the controls are the same:

• Maintain a visitor log for anyone meeting you for business. Record their name, date, company, time in and out, and who they visited.
• Store sensitive information in a lockable desk drawer, file cabinet, or safe.
• Keep systems (firewalls, routers, switches, and servers) in a locked closet or rack, and at home, do not have network equipment out where it can be accessed.
• Keep doors locked, assign badges or keys to employees, and keep an inventory. Ensure badges and keys are collected when people leave the company.
• Install cameras on exterior doors to strengthen security. Security systems are a plus for your home or corporate offices.
• Lock your computers when not working. It is a good habit to keep working at home.
• Don’t leave sensitive hardcopy out on your desk unattended. Lock it away.
• Keep any security or access systems up to date. Download firmware, software for apps, and test your equipment to ensure it is working properly.

Closing Thoughts

By focusing on these straightforward yet critical measures, you can create a robust physical security posture.

Melissa McCoy of Kaizen Approach, Inc. shares biweekly insights to help your organization take a smarter, more confident path toward CMMC compliance. Like and share the CISO Perspectives blog to help us continue improving the IC’s security posture.