CMMC Section 3.10: Physical Protection

By Dr. Jerry Craig | October 7, 2022
Jerry is Ntiva’s Sr. Director of Security and CISO, offering more than 20 years in the IT and cybersecurity industry. Certified CISO, CISSP and CCSP, Jerry also serves part-time as Adjunct Professor in the University of Maryland Global Campus.
CMMC Section 3.10 breaks down "physical protection" of controlled unclassified information (CUI).

While this particular section of CMMC 2.0 is rather straightforward with very few curveballs, it's still important to pay attention to the details of the controls in 3.10.

Table of Contents:

What You Need to Know About CMMC 3.10
CMMC 3.10.1
CMMC 3.10.2
CMMC 3.10.3
CMMC 3.10.4
CMMC 3.10.5
CMMC 3.10.6
How to Obtain CMMC Certification


Don't want to read the article? Watch the full recording below.
Be sure to register here for the Cybersecurity for the Rest of Us webinar series!



What You Need to Know About CMMC 3.10: Physical Protection

There are only six controls in CMMC Section 3.10, and they all cover the physical side of your data storage. This includes things like escorting visitors, maintaining audit logs, and controlling access to physical devices in the building. Let's dive in.


CMMC 3.10.1

Limit physical access to organizational systems, equipment, and the restrictive operating environments to authorized individuals.

This is meant to cover your employees and visitors, but you also need to be careful not to overlook vendors, maintenance staff, and building owners. These are commonly overlooked, but they are equally "dangerous" to your CUI.

There are many solutions, such as credentials that include badges and smart access cards for employees, along with locked rooms and cabinets for the hardware.

Make sure you're compliant with local, state, and federal laws, directives, and policies while implementing these security standards.


CMMC 3.10.2

Protect and monitor the physical facility and support infrastructure for organizational systems.

This is building off of 3.10.1, but is a bit more in-depth. For example, you need to monitor your secured areas with cameras, guards, and/or barricades. It's up to you to make sure these security measures are appropriate for the sensitivity level of the data you're protecting.

Ensuring built-in redundancy and off-site access where applicable is also part of 3.10.2. Your CUI needs to be protected while also being accessible for those who need it.

Don't overlook less obvious areas such as comm lines, power lines, and HVAC. These are all potential weak points in your infrastructure.


CMMC 3.10.3

Escort visitors and monitor visitor activity.

This one is very simple and straightforward. Any visitor that enters your building should be logged. Ensure you have activity and access logs that are reviewed on a regularly scheduled recurring basis.

The only caveat of this section is determining what classifies as a true "visitor." If contractors or part-time employees are coming and going with any regularity, it may be best to give them permanent physical access authorization credentials.

One crucial point to this section: ensure that your reviews match exactly what you have indicated in your policies and procedural documents.


CMMC 3.10.4

Maintain audit logs of physical access.

The important part of maintaining audit logs is determining if manual or automated logging is best for your organization. While manual systems may be more cost effective to begin with, you need to consider the amount of time you'll spent auditing and maintaining those manual logs.

Whenever possible, capture electronic logs for devices and systems that allow it, and create manual processes for those that don't. Also be sure to review the logs regularly.

Don't forget to periodically test that the systems are performing as intended. This will save you from a nightmare if/when you need those logs to be functioning properly.


CMMC 3.10.5

Control and manage physical access devices.

Physical access devices include keys, locks, combinations, and card readers. The most important part of this section is not the method you choose, but having an accurate inventory of these devices at all times.

Know who is assigned to each item, and ensure that active devices are owned and maintained by current employees. Keeping extras and spares secured until needed is an often forgotten piece of this puzzle.


CMMC 3.10.6

Enforce safeguarding measures for CUI at alternate worksites.

It's easy to think these physical security requirements apply only to areas inside your building. It's easy to overlook remote work.

Protecting data remotely can be a huge task. 3.10.6 refers to NIST 800-46 and 800-114 for guidance on enterprise and user security when teleworking.

Our best suggestion for this section is review and know the security requirements and capabilities at alternate sites, such as government sites, corporate offices, vendor spaces, and private residences.


How to Obtain CMMC Certification?

CMMC 3.10 is fairly straightforward, but maintaining physical security of your data can cost you immense amounts of time and money. This is where a Govcon friendly MSP like Ntiva can help. Let's get your data secured and leave you more time to do your job!

If you’d like to learn more, or get hands-on guidance to ensuring your organization is in compliance with these and other CMMC standards, we’re here to help. Contact Ntiva today.

Explore Our Managed Security Services

Tags: Cybersecurity