You wouldn’t let just anyone into your home. Those who you do let in shouldn’t be able to do anything they pleased. The same holds true for our organizations, and CMMC 2.0 takes this very seriously with the Physical Protection (PE) domain. Here we find 6 controls with 14 objectives.


In order to fulfill these objectives you must limit physical access to all of your systems to authorized personnel only, maintain audit logs of any physical access, escort visitors, and control physical access devices.


This domain also connects to the Awareness and Training domain discussed in a previous blog. All employees hold responsibility for physical protection in the enterprise. They must be aware not to let a potential intruder “tailgate” or “piggyback” behind them upon badging into the facility. They must be aware of a potential imposter “shoulder surfing” to get credentials off their screen. Also they should not be leaving sensitive printed information or written passwords in their workspace.


We must foster a culture of security in our organizations.


Peter McNamee  CCP