Meeting CMMC Physical Protection (PE) and NIST 3.10 with Office 365


As a disclaimer, this blog is intended to primarily discuss how an organization might use the native functionality and products of Office 365 plus Enterprise Mobility + Security (EM+S). This is not a complete approach but an overview of possible solutions..

The CMMC Domain Physical Protection (PE) is one of the 17 Domains that comprise CMMC and also aligns with NIST 800-171 Control Family 3.10. CMMC PE is focused on protecting your physical environment: facilities, IT assets, work areas, and storage locations. In this blog we will go over some of the baseline practices Microsoft uses to protect its data centers against physical, natural, and support threats. Adding to the requirements Microsoft addresses on behalf of its cloud customers, it will be important to discuss hybrid scenarios and some of the other physical protection requirements a cloud-first business may need to consider. By using the existing tools and workloads within Microsoft's Office 365 Government Community Cloud High (O365 GCCH), it is possible to meet these requirements with greater ease.


Basic Security Requirements

PE 1.131 Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. 

The Microsoft Cloud Side of Things

Microsoft designs, builds, and operates datacenters in a way that strictly controls physical access to the areas where your data is stored. Microsoft takes a layered approach to physical security, to reduce the risk of unauthorized users gaining physical access to data and the datacenter resources. Datacenters managed by Microsoft have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor.

All Azure Data Centers (including Office 365 GCC High tenants) have a hardened perimeter with steel fences, concrete walls, video surveillance, and guards that go through extensive background checks. To get past this perimeter, you must go through a strict approval process. This approval process only allows an individual with an explicit need (i.e. audit) to access only a specific zone or area within a specific time frame.

Each visitor and employee is required to wear a badge at all times and you must pass two-factor authentication with biometrics and a full body metal detection screening to continue into the datacenter. If your identity is validated, you can enter only the portion of the datacenter that you have approved access to. Additionally, video cameras monitor the front and back of every server rack. As mentioned previously, you can stay there only for the duration of the time approved.

The On-Premises Side of Things

Limiting physical access to your primary facility can start with simply securing offices, rooms, and facilities by using locks and keys, smart keypads, or card access.  Any access devices or copies of access devices need to be kept in a secure place, and they all need to be easily managed (potentially recorded in a SharePoint list). Furthermore, organizations need to maintain a log of all authorized individuals including visitors. 

Rather than relying on archaic clipboard and paper-based means for logging visitors, contractors can use existing Office 365 licenses to manage authorized visitors. The Visitor Management Solution (VMS) uses PowerApps, Flow, SharePoint Online, Outlook, and Teams to the fullest.  



The Summit 7 VMS uses a simple user interface built specifically for tablet and mobile devices and boasts compliance minded features, automated notifications via Microsoft Outlook and Microsoft Teams, an intuitive checkout process, and a visitor log that is managed real-time in SharePoint.

PE.2.135 Protect and monitor the physical facility and support infrastructure for organizational systems.

This requirement is highly physical in nature and includes alarm systems, video surveillance systems, and guards. Though important, it is outside of the scope of this blog and Office 365's capabilities. It is important to note that the transmission of data to/from/in Office 365 is encrypted, which eliminates most all scenarios of physical wire-tapping and digital eavesdropping. If you are in Office 365 GCC High or Azure Government, Microsoft is fulfilling the requirements of 2.135 for your cloud-based information systems; however, you and your organization are responsible for protecting and monitoring endpoints and any information system(s) residing in your facilities (on premises). 


Derived Security Requirements

PE.1.132 Escort visitors and monitor visitor activity.  

This is relatively straight forward. Although, there is a distinction that the NIST 800-171 Revision 1 makes in Appendix F between 'escort' and 'monitor'. Escorting an individual is exactly what it implies; however, monitoring is conducted on the logs. Much in the same way you would want to investigate an individuals activities within an information system for anomalies and peculiar behavior, it would be wise to devise checks to identify odd visitor patterns (a visitor stayed several hours, visited someone that was out of office, etc).

PE 1.132 - 1.134 can be achieved with Office 365 functionality. The video above showcases the Visitor Management Solution and the use of native applications: PowerApps, Flow, SharePoint Online, Teams, and Outlook (Exchange). To start, visitor escorting can be facilitated by prompt alerts in Teams and Outlook.

Microsoft Outlook Alert

VMS Email Notification

Microsoft Teams Alert

VMS Teams Notification

PE.1.133 Maintain audit logs of physical access.

If your company stores CUI on cloud-based information systems, then logs need to be maintained for facility access points. If you have a larger facility or multiple conference rooms, it may be wise to also capture the intended room or office each individual will primarily be visiting. Below is an example of how our Visitor Management Solution can store visitor logs in a SharePoint Online list.

VMS Visitor Records Example 2

PE.1.134 Control and manage physical access devices.

Physical Access Devices (PAD) are considered any key, card, code, or other item that provides a person access to a facility where CUI is accessed or stored. The PAD will vary widely depending upon your organizations' sophistication level for facility security. Regardless, you need to keep track of every item that grants access to the facility. The simplest means to do this is in a SharePoint list (unless you have a third party card/code system). You can keep track of all PAD's and create actionable workflows that trigger from/to that list.

For instance, you can create an approval workflow for a new hire to be granted a PAD, and similarly create a workflow for outprocessing an employee to notify a supervisor and security officer that the precise PAD has been turned over to Human Resources.

PE.3.136 Enforce safeguarding measures for CUI at alternate work sites.

Working from home, from alternate facilities, and mobile devices has become more commonplace for contractor companies. PE.3.136 is included in this control family because you cannot control physical access to a computer at a coffee shop or an employee's personal residence. The four utmost elements of meeting this requirement in Office 365 are documented policy, Azure Information Protection (Unified Labeling), Intune Mobile Device Management and Mobile Application Management, and Multifactor Authentication. (MFA).

Written policies and a Systems Security Plan are foundational, and employees need to be trained on what is acceptable behavior when working at an alternate work site. However, documentation can only inform, not enforce. Intune steps in to stop certain behaviors on devices and applications, and certain applications can be configured to block sharing at the container level (OneDrive, SharePoint Hub Site Collection, etc.). The next to last line of defense is labeling/encryption that is assisted by AIP for data in transit and at rest. If an attacker is still able to obtain a file from or through a remote worker and device, the labeled data cannot be accessed without authentication.

As previously stated in this blog, “a user cannot access Exchange (Outlook), SharePoint, OneDrive, Word Online, Teams, and the long list of other places CUI can be stored or accessed in Office 365 without first authenticating via Azure Active Directory. No matter what SaaS product or application in Office 365 being accessed, authentication occurs first. Additionally, MFA is a critical component to truly verify identity.”


Physical Protection (PE) In Summary

As with your data, your organization's physical environment needs to be protected. Following the CMMC guidelines will help keep both on-premises and off-premises data and information secure to protect you and your business. For additional details on our VMS or how to meet these requirements using O365 GCCH, feel free to reach out

Worst case - you can always get a security guard.

Security Guard




Subscribe Here!

Recent Posts

Posts by Topic

see all