Auditing physical security for FAR 52.204-21 and CMMC 2.0 Level 1 (PE.L1-B.1.IX) is about proving that only authorized people can access systems and media that contain covered contractor information (CCI) or controlled unclassified information (CUI); this post gives you a practical checklist, technical implementation guidance, and small-business examples to conduct an effective audit and close gaps promptly.
Framework and Control Overview
Framework: Compliance Framework
Under the Compliance Framework used by many small contractors, PE.L1-B.1.IX maps to basic physical access protections required by FAR 52.204-21 and CMMC 2.0 Level 1: restrict access to areas where CCI/CUI or organizational information systems are stored or processed, implement visitor management and escorting, and maintain evidence that controls function as intended. The goal is simple: demonstrate you prevented unauthorized physical access to systems, devices, and media.
Practice
This Practice covers tangible controls: locks, badge/card readers, visitor logs and escort policies, locked cabinets for media, CCTV where reasonable, and procedures for issuing and revoking physical access. For Compliance Framework auditors, the expectation is verifiable artifacts — access lists, configuration settings, log exports, photos of controls, and documented policies with training records.
Requirement and Key Objectives
Key objectives you must demonstrate in an audit: (1) identify and document controlled areas (server closets, storage for CUI, workstations handling CCI), (2) ensure access is limited to authorized personnel, (3) maintain and review physical access records, and (4) provide procedures for visitor handling and badge/key management. Evidence must be current and show regular review and corrective action where needed.
Implementation Notes
Implementation should be proportionate to your size and risk. For a small business (5–50 employees) practical controls include keyed locks with a controlled key log or an electronic access control system (ACS) using prox or smart badges, locked cabinets for paper CUI, visitor sign-in with ID verification and escort rules, and CCTV with at least 30–90 days retention depending on contract sensitivity. Ensure ACS controllers are on a UPS and keep firmware updated; capture and export access events for periodic review.
Practical Audit Checklist
Use this actionable checklist during the audit: (1) Walk the facility and identify controlled areas—take photos of doors, locks, and signage; (2) Review access control list and confirm each person listed has a business justification; (3) Verify visitor logs (paper or digital) and escort records for the last 90 days; (4) Inspect locked storage for CUI and verify labeling and access; (5) Export ACS logs for a 90-day window and sample-check entries against timesheet or badge-holder claims; (6) Check CCTV coverage and retention policy—pull a clip to prove playback works; (7) Review procedures for issuing/revoking badges/keys and check two recent revocations to ensure process followed; (8) Verify periodic physical inventories of devices and media, and check tamper-evident seals where used.
Technical Implementation Details
Be specific during evidence collection: export ACS logs in CSV or syslog format with timestamps and door IDs, document controller firmware versions and network segmentation (ACS on management VLAN with firewall rules), confirm TLS/HTTPS between controllers and management consoles, and verify backup power for locks/readers. For cameras record codec and retention configuration (e.g., H.264, motion-based recording, retention set to 90 days). For locked cabinets use keyed cam-locks plus a written key custody ledger or electronic lock audit trail. If you disable USB ports to reduce media exfiltration risk, capture endpoint configuration settings and a sample policy enforcement report.
Small-Business Scenarios and Examples
Example 1: A 12-person engineering firm stores drawings with CUI in a locked two-drawer cabinet in a shared office. Audit steps: photograph the cabinet label, confirm only 2 authorized employees have keys, inspect key log, and verify the cabinet is included in the quarterly inventory. Example 2: A 30-person subcontractor uses a cloud-based ACS with prox badges. Audit steps: export last 6 months of badge events for server room doors, sample-match events to HR records for badge holder employment dates, and inspect the ACS admin account activity for recent configuration changes. These concrete checks help auditors verify that policies are implemented, not just written.
Compliance Tips, Best Practices and Risks
Best practices: maintain a documented visitor escort policy enforced at reception, revoke badges within 24 hours of termination, retain access logs for at least 90 days (or as required by prime contract), conduct quarterly physical access reviews, and test badge revocation by simulating a termination. Technical hygiene: keep ACS and CCTV firmware up-to-date, limit admin console access via MFA and VPN, and store key custody logs offline to prevent tampering. Risks of non-implementation include unauthorized disclosure of CUI, contract penalties or termination, loss of future contracting opportunities, and reputational damage—consequences that disproportionately hurt small businesses.
Summary: Run the checklist, gather the technical and administrative evidence listed above, remediate gaps (revoke unused badges, repair faulty locks, update firmware), and document remediation with timestamps and responsible owners. Consistent, proportionate physical controls plus simple audit-ready artifacts (logs, photos, policies, and training records) will put a small business in a strong position to demonstrate compliance with FAR 52.204-21 and CMMC 2.0 Level 1 (PE.L1-B.1.IX).
