CMMC A to Z: Personnel, Physical Protection, and Recovery

This post results from the project “AMSec” within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and ComCode (Germany). This project focuses on CMMC topics in the context of Additive Manufacturing

In today’s blog post we will be discussing the next few capability domains within the Department of Defence’s CMMC framework. These are Personnel Security, Physical Protection, and Recovery. As previously stated in this series, it’s important to note that these capability domains are all crucial to maintaining a secure and compliant environment, as far as the U.S. Department of Defense is concerned. The purpose of these blog posts is not simply to list out these domains and what they require, but to help others better understand why the DoD is looking for these practices as well as how crucial they are to supply chain security.

PS – Personnel Security

One important aspect of keeping data secure is ensuring that the individuals with access to it not only have proper authentication and authorization to access said information but also ensuring that they are properly equipped and capable of handling classified information or holding sensitive positions. Personnel security activities are concerned with developing processes to ensure that these individuals are properly vetted before assigning roles relevant to CUI use.

PE – Physical Protection

Something that I’ve always told people when discussing the niche areas of cybersecurity is the fact that it doesn’t matter how complex and secures your password is if someone has physical access to your workstation. Controlling, managing, and monitoring physical access to high-level devices. Physical protection can be broken down into a few different projects to ensure the highest level of security:

  1. Access control system implementation
    1. ID Card Scanners
    2. RFID scanners
    3. NFC Identification
    4. Biometrics
  2. External Building Controls
    1. Door locks
    2. Window locks
    3. Barbed Wire
    4. Warning signage
    5. Personnel (Private Security, Front Desk, etc.)
  3. Surveillance Implementation
    1. CCTV
    2. Motion Sensors
    3. Pressure sensors

RE – Recovery

These activities focus on sustaining business function and services even in times of trouble. Whether it’s backing up individual devices, storing data in secure locations, or having some type of system in place for system continuity. Not only is this important for security, as inaccessible data at rest internally can create some openings for threat actors, but it’s important for the business cycle as a whole. Non-Scheduled outages will undoubtedly create some hiccups for sure, but having a continuity and contingency plan in place will help to smooth out those unforeseen events. These can include network transferrals, remote locations for data storage, secure remote work policies, and more. It should also be noted that data that is lost due to such circumstances may not truly be lost, and it’s important to take this into account when looking at creating such a policy and plan.

I will be covering the remaining 5 capabilities throughout the coming weeks, including risk Management, Communication Protection, and Situational Awareness.

Follow us for more updates on this project!  For further questions about Munich Cyber Security Program, or this project please feel free to contact

Written By: Austin Grupposo ’23 // Digital Forensics & Cybersecurity

More Partners
The End: DFIR
Winding Down: CMMC Setbacks, MCSP Experience, and the Future
Classifying and Securing Devices