CMMC Level 2: Physical, Personnel & Media Protection

Physical security, personnel vetting, and media protection address the human and tangible aspects of cybersecurity. These 19 practices protect your facilities, ensure trustworthy personnel, and safeguard CUI on storage media throughout its lifecycle.

Physical Protection (PE) - 8 Practices

Physical Protection from NIST SP 800-171 section 3.10 ensures that physical access to systems, equipment, and facilities is controlled. Digital security means nothing if an attacker can simply walk in and access your servers.

Physical Access (3.10.1 - 3.10.2)

• 3.10.1: Limit physical access to organizational systems, equipment, and operating environments to authorized individuals
• 3.10.2: Protect and monitor the physical facility and support infrastructure

Implementation guidance:

• Define physical security perimeters (building, floor, room)
• Install access controls at entry points (badge readers, keypads, locks)
• Implement layered access (reception → general office → server room)
• Use surveillance cameras at entry points and sensitive areas
• Protect infrastructure: HVAC, power, network closets
• Ensure adequate lighting in parking areas and entrances

Visitor Management (3.10.3 - 3.10.5)

• 3.10.3: Escort visitors and monitor visitor activity
• 3.10.4: Maintain audit logs of physical access
• 3.10.5: Control and manage physical access devices (keys, badges, combinations)

Visitor procedures:

• Require government-issued ID for visitor verification
• Log visitor name, company, purpose, time in/out, escort
• Issue visitor badges that visually differ from employee badges
• Escort visitors at all times in areas with CUI
• Collect visitor badges upon departure
• Review visitor logs for anomalies

Access device management:

• Maintain inventory of all keys, badges, and combinations
• Immediately deactivate badges when employees leave
• Recover physical keys during offboarding
• Rekey or change combinations when keys are lost
• Audit access device inventory quarterly

Alternate Work Sites (3.10.6)

3.10.6: Enforce safeguarding measures for CUI at alternate work sites.

What this means: With remote work, employees accessing CUI from home or other locations must protect it appropriately.

Implementation:

• Define approved alternate work locations in policy
• Require VPN for all remote access to CUI
• Prohibit CUI processing in public locations (coffee shops, airports)
• Require privacy screens on laptops
• Train employees on securing home work environments
• Consider providing locked cabinets for home offices
• Prohibit printing CUI at home unless specifically approved

Personnel Security (PS) - 2 Practices

Personnel Security from NIST 800-171 section 3.9 addresses the human element. It ensures people with access to CUI are trustworthy and that access is promptly removed when employment ends.

Personnel Screening (3.9.1)

3.9.1: Screen individuals prior to authorizing access to systems containing CUI.

Implementation guidance:

• Conduct background checks before granting CUI access
• Verify employment history and references
• Check criminal history appropriate to position sensitivity
• Verify education and professional credentials
• Re-screen personnel periodically based on risk
• Document screening requirements in HR policies

Screening levels may include:

• Basic: Identity verification, criminal check
• Moderate: Credit check, employment verification
• High: Extended background investigation (for sensitive positions)

Personnel Termination and Transfer (3.9.2)

3.9.2: Ensure CUI and systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Termination procedures:

• Disable all system access immediately upon termination
• Collect all company equipment (laptop, phone, badges, keys)
• Revoke remote access (VPN, cloud services)
• Change shared passwords the person knew
• Conduct exit interview addressing confidentiality obligations
• Remind departing employee of non-disclosure agreements

Transfer procedures:

• Review access rights for appropriateness in new role
• Remove access no longer needed
• Grant new access based on new role requirements
• Update role assignments in access management systems

Media Protection (MP) - 9 Practices

Media Protection from NIST 800-171 section 3.8 governs how you handle storage media containing CUI throughout its lifecycle, from creation through destruction. This includes hard drives, USB drives, backup tapes, and even paper.

Media Protection and Access (3.8.1 - 3.8.2)

• 3.8.1: Protect (control access to, mark, and securely store) system media containing CUI
• 3.8.2: Limit access to CUI on system media to authorized users

Implementation guidance:

• Identify all media that contains or has contained CUI
• Mark media clearly (e.g., "CUI" label on drives)
• Store media in locked cabinets or secure rooms
• Restrict physical access to storage locations
• Maintain a media inventory with custodian assignments
• Encrypt portable media (USB drives, external hard drives)

Media Disposal and Sanitization (3.8.3)

3.8.3: Sanitize or destroy system media containing CUI before disposal or release for reuse.

Sanitization methods by media type:

• Hard drives (HDD): Overwrite with approved tools (NIST 800-88 compliant) or physically destroy (shred, degauss)
• Solid state drives (SSD): Cryptographic erase or physical destruction (overwriting is not reliable for SSDs)
• Optical media (CD/DVD): Shred or incinerate
• USB drives: Cryptographic erase or physical destruction
• Paper: Cross-cut shred (P-4 or higher)
• Backup tapes: Degauss and physically destroy

Documentation requirements:

• Record date, method, media description, and responsible party
• Obtain destruction certificates from vendors
• Maintain sanitization records for audit

Media Marking (3.8.4)

3.8.4: Mark media with necessary CUI markings and distribution limitations.

Implementation:

• Apply "CUI" marking to all media containing CUI
• Include distribution/handling caveats if required
• Use tamper-evident labels where appropriate
• Mark both the media and its container
• Establish marking procedures in your media protection policy

Media Accountability (3.8.5)

3.8.5: Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

Implementation:

• Use sign-out logs when media leaves secure storage
• Track chain of custody for transported media
• Require management approval for media transport
• Use tamper-evident packaging for shipments

Portable Storage Encryption (3.8.6)

3.8.6: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

Implementation:

• Require hardware-encrypted USB drives for CUI transport
• Use BitLocker To Go or similar for portable drives
• Encrypt backup tapes before off-site storage
• Use AES-256 encryption at minimum
• Manage encryption keys securely and separately from media

Removable Media Control (3.8.7)

3.8.7: Control the use of removable media on system components.

Implementation:

• Disable USB ports on systems where removable media isn't needed
• Use endpoint protection to whitelist approved USB devices
• Block auto-run/auto-play for removable media
• Scan all removable media for malware before use
• Prohibit personal USB devices on work systems
• Issue company-approved encrypted USB drives when needed

Media Sharing (3.8.8 - 3.8.9)

• 3.8.8: Prohibit the use of portable storage devices when they have no identifiable owner
• 3.8.9: Protect the confidentiality of backup CUI at storage locations

Implementation:

• Never connect found USB drives to systems
• Train employees about USB drop attacks
• Label all company USB devices with owner information
• Encrypt all backups containing CUI
• Store backup media in a physically secure location
• Protect off-site backup locations with same rigor as primary site

Evidence for Assessment

Prepare the following for your C3PAO assessment:

• Physical security policy and procedures
• Facility diagrams showing security perimeters
• Physical access control logs
• Visitor logs
• Badge/key inventory and issuance records
• Personnel security policy
• Background check procedures and records (redacted)
• Offboarding checklists and records
• Media protection policy
• Media inventory
• Sanitization/destruction records and certificates
• Encryption key management documentation
• USB device control configurations

Key Takeaways

• Physical security is fundamental because logical controls fail if physical access isn't controlled
• Screen personnel before granting CUI access; revoke access immediately upon departure
• Control, mark, and track all media containing CUI
• Encrypt portable media and control removable device usage
• Sanitize or destroy media before disposal because simple deletion isn't enough
• Alternate work sites need equivalent protections to the office

Next in the Series

Continue to CMMC Level 2: System Protection & Integrity to learn about network security, encryption, and protecting system integrity.

Ready to simplify your CMMC compliance? Get early access to Pretorin and let AI help you manage your security controls.