> **SYNTHETIC SAMPLE** — this is a reference deliverable for grc.engineering's IG1 Starter Pack. Bowman Machine Works is a fictional DIB sub-tier persona (12-person CNC shop, Toledo OH) used to show what a completed L1 physical-protection policy looks like. All names, addresses, system IDs, and signatures are fabricated. # Physical Protection Policy — Bowman Machine Works, Inc. **Framework:** CMMC Level 1 (FAR 52.204-21) + supplements for CMMC L1 amber practice AC.L1-b.1.iv **Policy owner:** Director of Operations **Approved by:** Margaret R. Bowman, President & Owner **Effective date:** 2026-03-01 **Review cadence:** annual (next review 2027-03-01) --- ## Why this document exists CIS Controls v8.1 IG1 — the automated baseline for Bowman Machine Works, Inc.'s CMMC L1 self-assessment — contains no physical safeguards by design; CIS is scoped exclusively to IT/cyber controls. This policy closes the four PE (Physical and Environmental Protection) practices that CIS IG1 structurally cannot address, plus the website content review procedure that AC.L1-b.1.iv requires beyond automated data-plane ACL checks. When combined with the Prowler CIS IG1 scan output, this policy completes Bowman Machine Works, Inc.'s 17-practice CMMC L1 self-assessment readiness. See `research/cis-ig1-to-cmmc-l1-crosswalk.md` for the full mapping. --- ## §1 Facility Access Authorization (PE.L1-b.1.viii) ### Authorized individuals list Bowman Machine Works, Inc. maintains a current list of individuals authorized for physical access to facilities that house information systems handling Federal Contract Information (FCI). The list is stored at `G:\\HR\\Access\\physical-access-list.xlsx (restricted shared drive, HR group only)` (e.g. HR system, shared drive with restricted access, physical binder in locked cabinet) and includes: - Full name - Role and department - Authorized areas (server room / wiring closet / general office / visitor-escort-only) - Authorization effective date - Authorization expiration date (for contractors and temp staff) - Authorizing manager ### Access revocation trigger Physical access is revoked within 1 business days of any of: - Termination of employment - Role change that removes FCI-handling responsibilities - Extended leave of absence (> 30 days) - Credential loss or compromise (see §4 Badge and Key Inventory) ### Review cadence The authorized individuals list is reviewed quarterly (recommended: quarterly). Each review produces a dated attestation stored at `G:\\HR\\Access\\attestations\\`. --- ## §2 Visitor Escort Procedure (PE.L1-b.1.ix) ### Who may escort Only individuals on the Authorized Individuals List (§1) with the `escort-privileged` flag may escort visitors. The flag is granted by Bowman Machine Works, Inc.'s Director of Operations after the escort-privileged individual completes a one-time briefing covering: visitor sign-in, area restrictions, and incident response. ### What counts as "escort" Escort means continuous visual supervision while the visitor is inside an FCI-handling area. Escort does NOT include: - Leaving the visitor unattended for any duration, including bathroom / coffee breaks (visitor must exit the restricted area first) - Handing visitors credentials and meeting them later - Relying on video surveillance alone ### Visitor categorization Visitors are categorized as: - **Escorted guests** — customers, vendors without standing access, interview candidates - **Service personnel** — HVAC, janitorial, maintenance (escorted unless service personnel hold a signed access agreement; see `G:\\Contracts\\service-access\\`) - **Emergency responders** — fire, EMS, law enforcement during active incident (escort requirement suspended; physical access log entry made post-incident) --- ## §3 Physical Access Log (PE.L1-b.1.x) ### What is logged Every person entering or exiting a CUI- or FCI-handling facility area produces a physical access log entry with: - Date + time of entry - Date + time of exit - Person's name (or badge ID for regular staff) - If a visitor: purpose of visit + escort name - Areas visited (if distinct from the entry point) ### Where it is logged Electronic: Kisi cloud access control produces automated entry/exit logs stored at `Kisi web portal + monthly CSV export to G:\\Security\\access-logs\\`. Manual: the visitor log at `reception-desk visitor binder (paper)` (physical book at reception) captures guests not credentialed in the electronic system. Both logs are retained for 36 months (recommended: 36 months; minimum: 12 months for CMMC L1 self-assessment defensibility). ### Review The Director of Operations reviews physical access logs weekly (recommended: weekly) to detect: unauthorized entry attempts, failed badge-reads, visitor overstays, and access outside business hours without prior authorization. --- ## §4 Badge and Key Inventory (PE.L1-b.1.xi) ### Inventory scope Bowman Machine Works, Inc. maintains an inventory of every physical access device that grants entry to FCI-handling areas: - Electronic badges (RFID / PIV / proximity) - Physical keys and key cards - Combination codes (keypad, safe, lockbox) - Biometric enrollments (if used) Inventory location: `G:\\Security\\badge-inventory.xlsx`. Each row includes: device ID, device type, current holder, issuance date, last rotation date, next rotation due. ### Rotation cadence - **Electronic badges:** reissued on role change or on annual rotation, whichever comes first. - **Physical keys:** rotated every 3 years (recommended: 3 years) OR immediately on loss / compromise / departure of any keyholder. - **Combination codes:** rotated every 12 months (recommended: 12 months) and on any departure of a code-holder. ### Loss / compromise response Loss or suspected compromise of any physical access device triggers: 1. Immediate inventory update (status → `lost` or `compromised`) 2. Deactivation (electronic) or rekey / combination change (mechanical) within 1 business days 3. Incident log entry per §5 Incident Response (reuses §5 incident log format) --- ## §5 Website Content Review Procedure (AC.L1-b.1.iv supplement) ### Why this section exists CIS IG1 safeguard 3.3 enforces data access control lists — it catches CUI / FCI accidentally placed in a storage bucket that is technically public. It does NOT catch sensitive information accidentally published to a legitimately public asset such as Bowman Machine Works, Inc.'s company website, marketing pages, partner portal, or GitHub organization. AC.L1-b.1.iv requires both controls. ### Scope of the review The following public-facing assets are subject to periodic review: - Bowman Machine Works, Inc. corporate website (`https://bowmanmachine.example`) - Public documentation or knowledge base (`N/A — Bowman has no public documentation site`) - Social media profiles used for company communication - Public GitHub / GitLab organization (`N/A — Bowman has no public source repositories`) - Any other public asset where authorized staff can publish content ### Review cadence Content reviews are performed: - **Pre-publication** for any new content on the scoped assets (author attests, reviewer approves before publish) - **Quarterly retrospective** for the full site — sweep looking for content posted outside the pre-publication workflow ### What the reviewer is looking for The reviewer flags any of: - CUI, FCI, ITAR-covered technical data, or contract-identifying information (CAGE code paired with contract number, for example) - Personally identifiable information beyond what is intended public (employee names in directory listing are fine; home addresses are not) - Internal system names, IP addresses, or infrastructure diagrams that would aid an attacker - Third-party confidential information (customer names paired with deliverable detail, for example) Flagged content is removed or redacted within 2 business days and the incident is logged per §6. --- ## §6 Media Disposal Procedure (MP.L1-b.1.vii — on-prem / BYOD supplement) This section supplements the cloud-native media disposal evidence (AWS shared responsibility) for on-premises or BYOD media. ### In scope - Laptop SSDs / HDDs at decommissioning - USB drives used to transport FCI - Backup tapes (if used) - Printer hard drives at lease return or disposal - Employee personal devices that stored FCI during BYOD enrollment ### Acceptable methods - NIST SP 800-88 Rev 1 `purge` or `destroy` for drives containing FCI - Certified vendor destruction (shred / degauss) with a chain-of-custody certificate - For cloud-only workloads: rely on AWS shared responsibility attestation (AWS KMS envelope encryption with destroyed key == cryptographic erasure) Each disposal produces a disposal record at `G:\\Security\\disposal-log.xlsx` with: device ID, disposal date, method, technician, certificate reference (if vendor destruction). --- ## §7 Policy Exceptions Any deviation from this policy requires written approval from Director of Operations. Exceptions are documented in the Exception Register at `G:\\Compliance\\exception-register.xlsx` with: scope, compensating control, expiration date, and approver. Open exceptions are reviewed quarterly. --- ## §8 Attestation I, Margaret R. Bowman, President & Owner of Bowman Machine Works, Inc., attest that this Physical Protection Policy is in effect as of 2026-03-01, and that the controls described herein are implemented and operating. **Signature:** _________________________ **Date:** _________________________ --- ## Crosswalk — how this document satisfies CMMC L1 | CMMC L1 practice | Policy section | |---|---| | AC.L1-b.1.iv (website content review supplement) | §5 | | MP.L1-b.1.vii (on-prem media supplement) | §6 | | PE.L1-b.1.viii (facility access authorization) | §1 | | PE.L1-b.1.ix (visitor escort) | §2 | | PE.L1-b.1.x (physical access logs) | §3 | | PE.L1-b.1.xi (badge and key inventory) | §4 | Combined with the Prowler CIS IG1 automated scan output for the 12 green-set practices and the automated data-plane ACL checks for the amber AC.L1-b.1.iv practice, this policy completes the 17/17 CMMC L1 self-assessment evidence package.