ThePhysical Protection (PE) domaininCMMC 2.0 Level 1includes the requirementPE.L1-3.10.3, which mandates that organizationsescort visitors and monitor their activity.
TheCMMC Assessment Teamarrives at the OSC.
Thereceptionist acknowledges their arrival but does not verify credentials or escort themto the appropriate location.
Failing to verify visitor identity and failing to escort them is a violation of PE.L1-3.10.3.
A. PE.L1-3.10.3: Escort visitors and monitor visitor activity→✅Correct
This requirement ensures that visitorsdo not have unsupervised access to sensitive areas.
The receptionistshould have checked credentials and escorted the assessment team.
B. PE.L1-3.10.5: Control and manage physical access devices→❌Incorrect
This requirement refers to managingkeys, access badges, and security devices, which isnot the issue in this scenario.
C. PS.L2-3.9.1: Screen individuals prior to authorizing access to organizational systems containing CUI→❌Incorrect
This control applies to personnel screeningsbefore granting access to CUI systems, not physical visitor access.
D. PS.L2-3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers→❌Incorrect
This requirement deals withoffboarding employees and ensuring they no longer have system access. It isnot relevant to visitor escorting.
CMMC 2.0 Level 1 - PE.L1-3.10.3 (Physical Protection)
Requires organizations toescort visitors and monitor visitor activityat facilities containingFCI or CUI.
NIST SP 800-171 Rev. 2, Control 3.10.3
States thatvisitors must be escorted and monitored at all timesto prevent unauthorized access.
Breaking Down the Scenario:Analysis of the Given Options:Official References Supporting the Correct Answer:Conclusion:Since the receptionist failed to verify credentials and escort the visitors, this violatesPE.L1-3.10.3.
✅Correct Answer: A. PE.L1-3.10.3: Escort visitors and monitor visitor activity
