Responding quickly and correctly to physical access incidents is essential to meet FAR 52.204-21 and CMMC 2.0 Level 1 control PE.L1-B.1.IX; the following practical playbooks — written for small businesses operating under the Compliance Framework — provide step-by-step actions, evidence handling rules, and remediation tasks for escort failures, log tampering, and device compromise.
Incident Playbook Structure (applies to all three scenarios)
Each playbook below follows the same structure: Detection & Triage, Containment, Evidence Preservation, Eradication & Recovery, Notification & Reporting, and Lessons Learned. Maintain a single Incident Record (paper or electronic) for each incident and capture timestamps, actors, observed events, and actions taken. For compliance, ensure the playbook references contract-specific reporting obligations (contracting officer/DoD point-of-contact), internal policy citations (visitor/escort policy, log retention policy), and the Compliance Framework mapping (PE.L1-B.1.IX).
Specific Playbook: Escort Failures
Scenario: An unescorted visitor was seen near a server cabinet and an employee later admits they temporarily left a contractor unescorted. Immediate steps: (1) Secure the area — escort the visitor to a holding area and preserve the scene (do not move equipment). (2) Identify and verify the visitor using ID and sign-in logs; photograph the visitor and location with timestamps. (3) Check badge access logs, door controllers, and CCTV for the period in question. For small businesses without enterprise SIEM, pull door controller CSV logs and export camera footage to an external immutable medium (cloud or USB if policy allows) and compute a SHA-256 hash of each file (sha256sum or equivalent) to attest to integrity.
Specific Playbook: Log Tampering
Scenario: A system administrator notices missing log entries on a workstation or the security appliance shows manipulated timestamps. Immediate steps: (1) Isolate affected systems from the network (remove network cable or block at switch) to prevent further tampering. (2) Preserve volatile data where feasible — if you have EDR or forensic capability, collect a memory image and run live collection scripts; otherwise take disk images using a write-blocker or use a trusted forensic technician. (3) Collect copies of centralized logs (SIEM, cloud logs) and verify if upstream log sources have intact records; prioritize immutable or WORM storage for long-term logs. (4) Calculate hashes for images and logs (SHA-256) and document chain-of-custody forms with signatures and timestamps. For a small business, SaaS log retention or an inexpensive log collector (rsyslog to remote immutable file store) can be used as a practical mitigation.
Specific Playbook: Device Compromise
Scenario: A laptop connected to the corporate network is observed running unknown processes and contacting suspicious external IPs. Immediate steps: (1) Network containment — isolate the device using NAC, VLAN quarantine, or simply unplug the network cable and disable Wi‑Fi. (2) Decide on live response vs. powered-down for forensics: if you have in-house EDR with memory capture, perform memory acquisition and collect running process/network artifacts; if not, power off after documenting state to prevent further spread. (3) Create full disk image (dd or forensic tools like FTK Imager/GuyImager) and store with hash. (4) Scan images in a sandbox or offline VM to identify malware and indicators of compromise (IOCs), then push IOCs to endpoint protection and firewall rules to block lateral movement. (5) Rebuild or reimage the device from known-good media, restore from verified backups, and change credentials associated with the device. Small businesses can use cloud EDR subscriptions and managed service providers (MSPs) to assist with memory capture and controlled forensics.
Practical Implementation Details for a Small Business under the Compliance Framework
Implementation tips: (a) Maintain a simple printed and digital incident playbook accessible at the security console and with managers; (b) configure door access controllers, badge readers, and CCTV with NTP time sync to ensure logs correlate; (c) centralize logs to a cloud SIEM or an immutable storage endpoint with retention policy that meets your contract; (d) train non-IT staff on escort rules and immediate steps (secure the area, call security/IR); (e) pre-contract with a forensic vendor/MSSP and establish SLAs so that small shops are not forced into ad-hoc, error-prone evidence collection during an incident.
Technical Steps & Evidence Handling (specific commands and artifacts)
Technical checklist examples: capture system state with netstat -anp (Linux) or netstat -ano (Windows), list running processes (ps aux or tasklist /v), export firewall/ACL configs, and collect curator logs. For imaging use dd if=/dev/sdX of=/mnt/forensic/device-image.dd bs=4M and then sha256sum device-image.dd > device-image.sha256. Use timestamps and label physical evidence bags; photograph seals. Maintain a chain-of-custody form that records who handled the media, times, and storage location. If log tampering is suspected, compare local logs with remote centralized logs and reverse-trace any deletion operations (check /var/log/auth.log, Windows Event Forwarding, or appliance-specific audit trails).
Compliance Tips, Best Practices, and Risks of Non-Implementation
Best practices: implement mandatory escort policies with disciplinary and training follow-up, adopt immutable logging (WORM/cloud archive), require two-person access for sensitive areas, and test playbooks quarterly with tabletop exercises. Document every incident, even near-misses, and feed findings into your risk register and POA&M. The risk of not implementing these controls is high: unauthorized physical access can lead to loss of FCI/CUI, supply-chain compromise, contract violations, costly remediation, loss of facility accreditation, or termination of contracts. Additionally, poor evidence handling can render an audit or investigation inconclusive, exposing the organization to regulatory penalties and reputational damage.
Summary: Build concise, role-specific incident playbooks for escort failures, log tampering, and device compromise that map to FAR 52.204-21 and CMMC PE.L1-B.1.IX, incorporating rapid containment, forensic preservation, documented chain-of-custody, and clear reporting lines; for small businesses, combine low-cost technical controls (centralized immutable logging, cloud EDR) with prepared relationships to MSPs/forensic vendors, regular training, and quarterly exercises to reduce risk and demonstrate compliance.
