Disclaimer: This story is entirely fictional. Any resemblance to actual persons, living or dead, or actual events, or actual companies is purely coincidental and unintended. The characters, companies, and events portrayed are purely a work of fiction. Jil Wright, a Certified CMMC Assessor, has provided this narrative to offer organizations seeking certification an example of what an assessment might entail. Jil Wright does not endorse any of the technologies mentioned in this story. Implementing the specific measures discussed does not guarantee that a practice will be met.
Company Overview
On-site Scope
The company operates from a headquarters building and a state-of-the-art manufacturing facility that employs the latest in aerospace engineering and cybersecurity measures.
VerySecure UAV is a manufacturer of Unmanned Aerial Vehicles for military use. They produce cutting edge drones that are engineered to meet the rigorous demands of military operations, providing superior surveillance, reconnaissance, and tactical support capabilities.
Acing this assessment was critical to maintaining their Department of Defense (DoD) contracts.
Planning
Before the on-site assessment, much planning is involved. The company and the Lead Assessor (along with the traveling assessor, if different) plan the logistics of the visit. Along with planning the virtual part of the assessment, the planning phase may include the activities below:
VerySecure UAV
- Designate a point of contact to support the assessor during their visit
- Ensure the POC is easily accessible to handle any inquiries or issues.
- Technical Support – Have IT support available to address any technical difficulties during the assessment.
- Share contact information with the assessor, including phone numbers and email addresses
- Meet with the assessor to go over the assessment agenda, expectations and any specific requests or preferences they might have.
- Work with the assessor to develop a detailed agenda for the on-site assessment.
- Outline the specific times, locations, and activities planned for each day.
- Organize a tour of the facility and arrange meetings with individuals such as the Facility Security Officer (FSO), the Chief Operations Manager (COO), the Chief Information Officer (CIO) and IT Department representatives, Facilities Security personnel and other relevant staff members.
- Allow for breaks, lunchtime and any unexpected delays in the schedule.
- Coordinate with the assessor to finalize travel dates and times.
- Give the assessor details on how to enter the premises and parking arrangements.
- Create a workspace for the assessor. Equip the workspace with internet access, office supplies, and any specialized equipment needed for the assessment.
- Prepare a visitor badge for the assessor and ensure it is ready for pickup upon their arrival.
- The POC should meet the assessor upon arrival to escort them to the meeting room.
Assessment Planning Checklists
Lead Assessor
- Exchange contact details, with the company, including phone numbers and email addresses for communication.
- Plan a virtual meeting with the company POC to go over the assessment agenda, and expectations.
- Check with the company for any hotel recommendations. Book accommodations at a nearby hotel that meets your preferences and needs.
- Finalize travel dates and times in coordination with the company.
- Confirm detailed travel itineraries, including flight information, ground transportation, and accommodation details.
- Ensure reliable transportation arrangements to and from the airport, hotel, and assessment site.
- Collaborate with the company to develop a detailed agenda for the on-site assessment.
- Coordinate with the company to plan the facility tour and schedule meetings with key personnel, including the FSO, IT Department, Facilities Security, and other relevant staff.
- Review the specific plan for each day.
- Check with the company about any safety requirements, like masks, safety shoes, dress codes, etc.
The Assessment Begins
As scheduled, the assessor, Ms. Shields, arrived at VerySecure UAV’s headquarters to begin the on-site assessment promptly on Tuesday morning. Before entering the facility, Ms. Shields did a quick ride around evaluation of the exterior protections of the buildings. She took mental notes of where she saw cameras and other security measures and where she did not.
As she entered the headquarters, she met Kate Keep, the Facility Security Officer (FSO), and Mark Monitor, the Chief Operating Officer (COO), who greeted her.
Kate: “Welcome, Ms. Shields. Let’s get you checked in and we’ll escort you to the meeting room to get you settled in.”
Ms. Shields: “Thank you, as soon as I can get set-up, we can begin the tour. I’m looking forward to seeing your facility.”
Ms. Shields was signed in, given her visitor badge, and the front desk took note of the serial number of her laptop and looked in her purse.
PE.3.10.3[a] Visitors are escorted.
PE.3.10.3[b] Visitor activity is monitored.
Ms. Shields: “I noticed you checked me in and escorted me from the front desk. Can you explain your visitor management process?”
Kate: “Every visitor signs in at the front desk and receives a temporary badge. They’re always escorted by a staff member, and their activity is monitored through our security cameras.”
Ms. Shields: “Can you show me the visitor log and some recent footage of visitor activity?”
Kate: “Of course. Here is the visitor log, and I’ll pull up the camera footage from yesterday.”
PE.3.10.1[b] Physical access to organizational systems is limited to authorized individuals.
PE.3.10.1[c] Physical access to equipment is limited to authorized individuals.
PE.3.10.1[d] Physical access to operating environments is limited to authorized individuals.
Ms. Shields: “Do you mind showing me how you restrict access to your organizational systems, equipment, and operating environments?”
Kate: “Sure, follow me to our server room.”
At the server room, Kate showed Ms. Shields the cameras in place along with the badge reader and demonstrated how only authorized personnel could access the area.
Kate: “Here are the logs for the past week, showing who accessed the server room. The same controls apply to our equipment storage areas and operating environments. Personnel are granted access to specific areas with their badge. If they don’t have the necessary permissions in the badging system, they can’t enter.”
Ms. Shields: “How do you ensure print jobs containing CUI are not picked up by unauthorized personnel?”
Kate: “Printers are located in secure areas, and users must swipe their badges to release their print jobs. This ensures only the person who printed the document can retrieve it.”
Ms. Shields: “Can I see this in action?”
Kate demonstrated how a print job was sent and then released by swiping her badge at the printer.
Ms. Shields: “In your documentation, you talk about protecting the information needed to build your products. How do you protect digital and physical drawings and schematics in the warehouse?”
Ms. Shields: “ Your SSP and documentation say that in the warehouse dumb monitors are used to view schematics, models, and drawings. The dumb monitors, or zero clients, provide enhanced security due to their lack of local storage and minimalistic nature. Users log in to zero clients using their credentials. The zero clients establish a connection to a high-performance centralized server, where all data processing occurs. Users can view and interact with large datasets without any performance degradation. The centralized server uses encrypted communication protocols, and access is restricted based on user roles. At the end of the day, users log out, and zero clients are powered off. The screens also have privacy filters on them. Physical drawings are kept in locked filing cabinets when not in use which are located in a locked room Only authorized personnel have access to these cabinets. If a technician is using a physical copy of the information, they sign them out of the main storage area. They have large locking drawers at their bay to store them in when they are away.”
“Can you demonstrate how these controls work?” asked Ms. Shields.
Mark led Ms. Shields to a nearby bay where he asked an employee to demonstrate the login process. The technician then showed the locked drawers at his bay where physical drawings for his project were stored. Mark then led Ms. Shields to the physical drawing storage. They walked through the document check-out process and Mark pointed out cameras at the entrance.
Ms. Shields: “Thank you.”
PE.3.10.2[a] The physical facility where organizational systems reside is protected.
PE.3.10.2[b] The support infrastructure for organizational systems is protected.
PE.3.10.2[c] The physical facility where organizational systems reside is monitored.
PE.3.10.2[d] The support infrastructure for organizational systems is monitored.
Ms. Shields: “How do you ensure that only authorized individuals have access to your equipment?”
Mark: “We place equipment in locked cages and control access through badge readers. Only a very few personnel with specific permissions can access these cages. There are cameras monitoring the area.”
Ms. Shields: “Can you show me an example?”
Mark led Ms. Shields to a section of the warehouse where equipment was stored in locked cages. He grabbed an employee that was walking by and they demonstrated how the badge reader restricted access to them. Mark used his badge to open the cage, showing that only those with proper permissions could open it.
Ms. Shields: “Now let’s talk about the physical protection of your facilities and support infrastructure. What measures do you have in place?”
Mark: “We have a security fence surrounding the facility, security guards at the entrance, and surveillance cameras covering all entry points. We also have specific measures to protect the internet cables coming into the building from being cut. Additionally, internet jacks in public areas are disabled to prevent unauthorized access.”
Ms. Shields: “Can we review the surveillance setup and the logs from these areas?”
Mark: “Certainly. Follow me to the security office. Kate can review everything with you.”
At the security office, Kate showed Ms. Shields the live camera feeds and the logs from the past month.
Kate: “You can see here how we monitor both the physical facility and the support infrastructure continuously. We also have additional barriers for server rooms and communication hubs, including locked cages for some of the equipment.”
Ms. Shields: “Excellent. From reviewing your documentation, I know that you receive deliveries from the same couriers most of the time, and they drop off at the back of the warehouse at a loading dock. How do you ensure there is no unauthorized access during deliveries?”
Mark: “We have a strict protocol for deliveries. Couriers must check in at the main gate, where security verifies their identity and logs their entry. They then proceed to the loading dock, which is monitored by cameras. Our staff at the loading dock supervises the delivery process. Couriers are not allowed to enter the warehouse itself; instead, our staff handles the unloading.”
Ms. Shields: “Can I see how this process works?”
Mark: “Absolutely. Let’s head to the loading dock.”
At the loading dock, Mark had an employee who receives deliveries show Ms. Shields the security setup, including the cameras and the supervised unloading process. They showed the security guard at the gate had logged the entry of a delivery truck and that warehouse staff handled the delivery.
PE.3.10.5[b] Physical access devices are controlled.
PE.3.10.5[c] Physical access devices are managed.
Ms. Shields: “How do you control and manage physical access devices like keys and badges?”
Kate: “I issue and deactivate badges and our IT department is responsible for updating and maintaining the badging system. We review badge access biannually. We keep a detailed inventory of all access devices and conduct regular audits. Lost or stolen badges are deactivated immediately, and we update access permissions as needed. Unused badges are locked in a cabinet until they are needed.”
Ms. Shields: “Can you show me the inventory records and a demonstration of how you deactivate a badge?”
Kate: “Here are our inventory records, and I’ll show you how we deactivate a badge in our system.”
Kate demonstrated the badging system software and the deactivation process, ensuring that Ms. Shields understood how they managed access devices.
Ms. Shields: “Thank you.”
SC.3.13.12[b] Collaborative computing devices provide indication to users of devices in use.
Ms. Shields: “How do you ensure collaborative computing devices indicate when they are in use?”
Kate: “We don’t have any collaborative computing devices other than our desktops and laptops. We use Teams for meetings, and it provides indications when the microphone or camera is on.”
Ms. Shields: “Can you show me an example?”
Kate demonstrated a Teams meeting, highlighting the indicators for microphone and camera usage.
CM.3.4.5[d] Physical access restrictions associated with changes to the system are enforced.
Ms. Shields: “How do you enforce physical access restrictions for system changes?”
Kate: “Let’s meet with our CIO, Bob Bytes, and our system administrator, Alex Admin, to discuss this.”
In the meeting room, Bob and Alex explained the change management process.
Bob: “We use a ticketing system for all changes. Only authorized personnel can make changes, and they must log their activities on the ticket.”
Alex: “Here’s an example of a recent change ticket. It details who made the change, what was changed, and when it was done. We restrict access to physical systems to only those with the necessary permissions.”
Ms. Shields: “Thank you.”
MA.3.7.2[d] Personnel used to conduct system maintenance are controlled.
Ms. Shields: “How do you control personnel conducting system maintenance?”
Mark: “We have a list of authorized maintenance personnel, and they are supervised during their work. For example, last week, John Coldman, our HVAC technician, performed maintenance. He signed in, was escorted to the equipment, and was supervised throughout the process.”
Ms. Shields: “Can I see the log for John’s visit?”
Mark: “Here it is. You can see his sign-in, the work performed, and the supervision details.”
MP.3.8.1[c] Paper media containing CUI is securely stored.
MP.3.8.1[d] Digital media containing CUI is securely stored.
Ms. Shields: “How do you store paper and digital media containing CUI?”
Kate: “Paper CUI is stored in locked cabinets in a secure room, and the cabinets are clearly labeled. Digital CUI is stored on encrypted drives within secured servers. We do not allow portable storage devices, and USB ports are disabled on all machines. We don’t have any portable storage devices to store.”
Ms. Shields: “Please show me the storage area.”
Kate led Ms. Shields to the secure room and showed the locked cabinets for paper CUI. They then inspected the server setup, confirming the encryption and security measures for digital CUI.
MP.3.8.4[a] Media containing CUI is marked with applicable CUI markings.
MP.3.8.4[b] Media containing CUI is marked with distribution limitations.
Ms. Shields: “Is media containing CUI properly marked with applicable markings and distribution limitations?”
Kate: “Yes, we have a labeling system in place for all CUI media.”
Ms. Shields: “Let’s take a look at some examples.”
Kate showed her several marked documents, each clearly labeled with applicable CUI markings and distribution limitations.
Findings
| OBJECTIVE | SECURITY REQUIREMENT | MET/NOT MET | FINDINGS |
|---|---|---|---|
| PE.3.10.1[b] | Physical access to organizational systems is limited to authorized individuals. | Met | Access control measures include badges with access controls and logs. |
| PE.3.10.1[c] | Physical access to equipment is limited to authorized individuals. | Met | Badge reader logs, secured areas, and locked cages. |
| PE.3.10.1[d] | Physical access to operating environments is limited to authorized individuals. | Met | Badge reader logs and controlled access. |
| PE.3.10.2[a] | The physical facility where organizational systems reside is protected. | Met | Security fence, guards, surveillance cameras, and internet protection. |
| PE.3.10.2[b] | The support infrastructure for organizational systems is protected. | Met | Physical barriers, locked cages, and 24/7 monitoring. |
| PE.3.10.2[c] | The physical facility where organizational systems reside is monitored. | Met | Guards, fence, Continuous monitoring with cameras. |
| PE.3.10.2[d] | The support infrastructure for organizational systems is monitored. | Met | Guards and live feeds of infrastructure monitoring. Cable Conduit |
| PE.3.10.3[a] | Visitors are escorted. | Met | Visitor logs and escort procedures. |
| PE.3.10.3[b] | Visitor activity is monitored. | Met | Camera footage, escorted |
| PE.3.10.5[b] | Physical access devices are controlled. | Met | Inventory records and regular audits. Kept in locked cabinet. |
| PE.3.10.5[c] | Physical access devices are managed. | Met | FSO managed. Immediate deactivation of lost/stolen badges and access updates, IT department maintains |
| SC.3.13.12[b] | Collaborative computing devices provide indication to users of devices in use. | Met | Teams meetings with indications for microphone and camera usage. No conference A/V |
| CM.3.4.5[d] | Physical access restrictions associated with changes to the system are enforced. | Met | Authorization and logging of system changes, meeting with CIO and sys admin. |
| MA.3.7.2[d] | Personnel used to conduct system maintenance are controlled. | Met | List of authorized maintenance personnel and supervision, example of HVAC maintenance. |
| MP.3.8.1[c] | Paper media containing CUI is securely stored. | Met | Locked cabinets in a secure room, clearly labeled. |
| MP.3.8.1[d] | Digital media containing CUI is securely stored. | Met | Encrypted drives within secured servers, USB ports disabled. |
| MP.3.8.4[a] | Media containing CUI is marked with applicable CUI markings. | Met | Proper labeling system in place. |
| MP.3.8.4[b] | Media containing CUI is marked with distribution limitations. | Met | Marked documents with distribution limitations |
Ms. Shields: “I have everything I need. Thank you very much for your transparency and hospitality. VerySecure UAV has met all the assessment objectives for the PE domain and related controls. The documentation and procedures are thorough, and the team’s preparation is evident. Well done. I will be giving the Lead Assessor my finding for the final report.”
Mark: “Thank you Ms. Shields. When you are ready, I can escort you out. I hope you enjoyed the tour, we think we build some pretty cool stuff to protect our warfighters.”
Kate: “Thank you, it was nice to meet you Ms. Shields.”