This post provides a practical, action-oriented playbook to build a physical access control checklist aligned with FAR 52.204-21 and CMMC 2.0 Level 1 control PE.L1-B.1.VIII — focused on what a small business must do, how to document it, and affordable technical choices to reduce risk while producing auditable evidence.
Understanding FAR 52.204-21 and CMMC PE.L1-B.1.VIII
Both FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) and CMMC 2.0 Level 1 require safeguarding federal contract information (FCI) and limiting physical access to systems and areas that store, process, or transmit FCI. Control PE.L1-B.1.V.III (PE.L1-B.1.VIII as presented) is a practical directive to prevent unauthorized physical access to information systems and the media that contain FCI — this means doors, server closets, shared desks, removable media, and exportable hard drives must be controlled, monitored, and logged.
How to structure your implementation
Start with scope: identify spaces and assets that handle FCI (workstations, servers, printers, network closets). Create a short policy that states who is authorized, what controls are used (locks, badges, escorting visitors), and how access events are logged and reviewed. The checklist should align to four phases: Identify, Protect (controls), Monitor & Test, and Document & Report — mapping directly to common compliance frameworks and providing evidence for audits.
Physical Access Control Checklist (practical items)
- Asset & space inventory — list rooms, closets, and devices that handle FCI (include model/serial number, location, and owner).
- Authorization list — maintain an up-to-date roster of authorized personnel for each secured area (name, role, access level, provisioning/deprovisioning date).
- Access control method — define and implement door locks (mechanical, keyed, keypad, electronic badge), specifying fail-secure vs fail-safe behavior and power/backup needs.
- Logging & retention — ensure access system logs include user ID, door ID, timestamp, action (grant/deny), and reason (if applicable); retain logs at least 90–180 days (recommend 180 days for stronger evidence).
- Visitor handling — visitor sign-in, photo ID check, temporary badges, escorts, and a policy for visitors to sensitive areas (no unsupervised access to FCI areas).
- Deprovisioning process — documented steps for immediate removal of access for terminated/changed personnel, including badge revocation and changing shared PINs.
- Surveillance and detection — camera placement to cover entrances and server closets (with date/time stamps), and integration with access logs where possible.
- Maintenance & testing schedule — periodic (quarterly) checks of locks, badge readers, camera health, and monthly review of access log anomalies.
- Media handling — secure storage for removable media, labeled media destruction process (shredding or crypto-erase), and rules for removing devices from the facility.
- Evidence and documentation — photos of controls, exported access logs, change history for authorization lists, and receipts for purchased devices.
Example (small business scenario): a 12-person consultancy with a single server rack in a locked closet. Implementation can be simple: replace swing-door keyed lock with an electronic keypad or low-cost RFID reader, maintain a spreadsheet of authorized badge IDs, mount a single camera to record the closet door, and export daily access logs weekly to a secure folder. Deprovisioning: HR emails IT when someone leaves; IT revokes badge via the cloud ACS interface within 1 hour and archives the event log.
Technical details to implement correctly
Choose access control systems (ACS) that support unique credentials (no shared generic accounts), strong timekeeping (NTP-synced timestamps), and log export (CSV or syslog). Ensure communications between readers/controllers and the management console use encrypted channels (TLS 1.2+). For critical doors, require two-factor physical access (badge + PIN) where possible. Provide UPS power to controllers and electric strikes or maglocks to maintain access during short outages, and define emergency egress behavior consistent with life-safety codes.
Integrate ACS logs with an audit process: configure automatic daily exports retained in a tamper-evident location (write-once or versioned cloud storage). Ensure log fields include user ID, credential type, door/device ID, event type (grant/deny), and the controller serial number. If you have a SIEM or log aggregator, forward syslog with TLS to centralize review and alerting for repeated denied attempts or access outside work hours.
Operational controls matter as much as hardware: define who escorts visitors, require photo ID checks, enforce a clean-desk policy to avoid leaving FCI on open desks, and use locked storage for media. Create a deprovisioning checklist executed on termination or role change (revoke badge, collect keys, change shared PINs, reassign system accounts). Schedule quarterly access reviews where managers confirm the current authorization list and sign off on changes.
Risks of not implementing these controls include unauthorized disclosure of FCI, theft of devices, contract loss, civil penalties, and reputational damage. For example, an unlocked server closet could allow a malicious insider or intruder to clone hard drives containing sensitive contract information — resulting in immediate breach reporting obligations and potential disqualification from future federal work.
Compliance tips, evidence collection, and best practices
Prioritize documentation: the auditor cares about evidence — policies, the authorization roster, exported logs, photos of locked areas, and records showing deprovisioning actions. Use change control for physical access changes (a ticketing system entry to add/remove personnel) and attach screenshots or export files to the ticket. For small budgets, consider cloud-managed ACS vendors that provide easy revocation, logging, and automated exports; for higher security, use on-prem controllers with encrypted channels and local log retention plus off-site backups.
Finally, test your controls: run table-top exercises simulating an employee termination, a lost badge, or a late-night unauthorized access attempt. Verify that the deprovisioning workflow completes in your target SLA (e.g., within 1 hour), and that logs show the expected events. These tests are strong audit evidence and reduce the chance of a real incident.
Summary: Build your checklist by scoping assets, selecting appropriate physical controls (locks, badges, cameras), implementing robust logging and deprovisioning, and maintaining documented evidence and periodic reviews — practical steps that small businesses can implement economically to meet FAR 52.204-21 and CMMC 2.0 Level 1 PE.L1-B.1.VIII requirements while materially reducing the risk of FCI exposure.
