CMMC and the Physical Security Domain

Lila Trevors

Alright, let’s jump into it! The Physical Protection Domain. A single propped-open door. A missing visitor log. A forgotten badge. Sounds small, right? But these little gaps could cost us or our clients their CMMC Level 2 compliance—and more.

Eric Marquette

That’s right! Physical security isn’t just about locked doors—it’s about when you step away. We’re breaking down the —let’s get into it!

Lila Trevors

Right, Eric, we were just talking about how all these cybersecurity controls tie into the physical side of things. Like, what’s the point of securing data digitally if someone can just walk into your office and snoop around?

Eric Marquette

Exactly. Physical security is one of those things that people often overlook, thinking it's not a "cyber" problem, but it's all connected. If someone gains physical access to your equipment, they could bypass a lot of those digital protections we've talked about.

Lila Trevors

Right, I mean, picture this—someone walks in, plugs a USB drive into your server, and boom! They’ve just bypassed all your cybersecurity layers. It’s like setting up a fancy alarm system at home but leaving the front door wide open.

Eric Marquette

That's a great analogy. Let’s break it down—physical security covers things like securing access points, logging who comes and goes, and making sure visitors don’t just wander around unescorted.

Lila Trevors

Oh, visitor logs! Can we talk about that for a second? It sounds so basic, but I’ve seen companies overlook this completely. They figure, “Oh, we’re small, we don’t need that,” but then they forget who’s been in their space.

Eric Marquette

Exactly. And it’s not just about keeping a list of names—it’s about connecting those logs back to your policies. For instance, are visitors being escorted? Do they have access to areas with sensitive info, like CUI?

Lila Trevors

Oh my gosh, I’ve got a story for you. I heard about this company where the office manager left, and no one took over maintaining the visitor logs. A year later, they couldn’t figure out who had accessed an area during a security incident.

Eric Marquette

Oof, yeah, that’s not a great place to be. Those gaps can lead to major compliance issues, not to mention the potential for real security breaches. And let’s not forget about simple things like locking down equipment and documents, too.

Lila Trevors

Totally. It’s all part of a bigger puzzle—connecting physical security measures to your overall compliance framework. Like, it's not just about locks and logs; it’s about making sure everything works together to protect your data, your team, everything.

Lila Trevors

So, we’ve laid out why physical security is so critical, especially with those real-world examples we just discussed. Now let's zoom in on what MSP employees—yes, I’m talking to you listening—can concretely do about it under CMMC Level 2. Eric, why don’t we kick this off with the top five practical steps they should focus on?

Eric Marquette

Sure thing. First up, secure those access points. That means no unauthorized entry, not just for people but for your equipment too. It’s step zero—lock those doors, secure the server rooms.

Lila Trevors

And don’t forget, you’re not just protecting what's inside the building. It’s about the data and systems, too. What’s next?

Eric Marquette

Second, escort and log all visitors. It’s not just a formality—it ties back to compliance. You need a record of who’s in your space, why they’re there, and good escorting policies to ensure they’re not poking around where they shouldn’t.

Lila Trevors

Oh, and logs can be digital or physical, right? So, there’s no excuse. Next?

Eric Marquette

Number three—maintain access records and review them regularly. Don’t let them just sit in a filing cabinet or, worse, an ignored spreadsheet. If you don’t use the data, it’s useless.

Lila Trevors

Right, and let’s not forget a big one—locking down workstations and securing documents. If you’re leaving stuff on your desk at the end of the day, you’re doing it wrong. You lock your house, don’t you?

Eric Marquette

Exactly. And finally, number five—report anything suspicious immediately. Lost badges? Someone wandering where they shouldn’t be? Don’t assume someone else will handle it. Speak up!

Lila Trevors

Okay, real quick, let’s do a “What would you do” scenario. Picture this: You’re at the office late, and you see someone who doesn’t belong there walk past you, heading toward the server room. What’s your first move?

Eric Marquette

I’d say, first things first—don’t confront them directly unless you’re certain they’re supposed to be there. Alert security or your manager right away. Suspicious activity reporting is critical here, and policies exist to guide you through it.

Lila Trevors

Exactly! Follow the protocol, people. Even small actions like this make a huge difference in protecting your organization. Alright, let’s quickly recap.

Eric Marquette

So, to recap—secure access points, escort and log visitors, maintain and review access records, lock down workstations and documents, and report suspicious activity immediately. These aren’t just good habits; they’re essential for compliance and security.

Eric Marquette

Next lets dive deeper into some of the acronyms you should be familiar with if your talking about this domain

Lila Trevors

Good call! First up a pop quiz! What is CUI?

Eric Marquette

That’s , which is sensitive government-related data we must protect both physically and digitally."

Eric Marquette

Next up FCI what is that?

Eric Marquette

. It’s not as sensitive as CUI, but still requires protection from unauthorized access.

Eric Marquette

Now for the New ones right?

Lila Trevors

Yes, since we’re talking physical security, you’ll hear PACS—. That’s everything from ."

Eric Marquette

"Exactly! Oh, and let’s not forget BMS—. It controls things like security cameras and even door access, which means it can be a cybersecurity risk if not properly managed."

Eric Marquette

So if you remember anything, focus on —because they directly impact how we secure our workspaces.

Lila Trevors

You know, one more crucial topic we need to cover: what role do we, as an MSP, play in this for our clients?

Eric Marquette

Lila Trevors

And that’s it for today, folks! Remember, all of us at The IT Company are on the front lines of this. Every small action counts. Thanks for hanging out with us, and we’ll catch you next time!

Eric Marquette

Yep, stay vigilant, stay compliant, and, uh—don’t forget to log your visitors! See you next time.