This post gives a practical, implementation-focused checklist for deploying CCTV, alarms and sensors to satisfy the physical protection requirement PE.L2-3.10.2 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2, targeted at small businesses and government contractors that must protect Controlled Unclassified Information (CUI).
Why this control matters and the risk of not implementing it
PE.L2-3.10.2 requires organizations to protect and monitor physical access to areas housing systems or data associated with CUI. Failure to implement adequate CCTV, alarm and sensor coverage increases risk of unauthorized physical access, theft of hardware or media, covert data exfiltration, tampering with equipment, loss of contracts, and regulatory penalties. For a small business that stores program-related documents, a single tailgated visitor or unattended server cabinet can lead to a breach that undermines dozens of contracts and damages reputation.
High-level implementation approach
Start by mapping the physical environment (facility floor plans, server rooms, reception, entry/exit points, parking and shipping/receiving). From that map define "CUI zones" and physical security zones. For each zone, decide the required level of monitoring, detection and recording retention based on sensitivity and contract/DFARS requirements. Document these decisions in the System Security Plan (SSP) and track gaps in a Plan of Action & Milestones (POA&M).
Technical checklist ā Cameras, placement and recording
Camera selection and placement
Choose cameras adequate for identification at required distances: typical small-business deployments use 1080pā4MP IP cameras. Use wide-angle lenses for corridors and PTZ or 4MP fixed for entrances. Key placements: all exterior doors, main reception, server/comm closets, shipping/receiving, and any secure desks where CUI is handled. Place cameras to cover badge readers and cabinet doors ā do not point cameras at private areas (restrooms) to avoid privacy issues.
Recording, retention and storage
Define retention (e.g., 30ā90 days depending on contract). Calculate storage by using camera bitrate: Example ā if each camera averages 2 Mbps (H.265, 15 fps), daily storage per camera ā 2 Mbps * 86,400 seconds/day ā 21 GB/day; for 10 cameras at 90 days ā 18.9 TB. Decide NVR vs cloud storage: NVR with RAID & scheduled offsite backups is cost-effective for small sites; cloud-managed systems simplify tamper-resistance and off-site retention but incur bandwidth and subscription costs.
Technical checklist ā Alarms, sensors and integration
Sensor selection and zoning
Use door contacts (magnetic reed switches) on all secure doors, motion PIR sensors for after-hours detection, glass-break detectors on windows in vulnerable areas, and environmental sensors (temperature, humidity, water) for comm closets. Group sensors into intrusion zones matching physical zones in your SSP. Ensure sensors support tamper detection and supervision (end-of-line resistors or supervised loops) so loss of power/faults are logged.
Integration and automation
Integrate CCTV, intrusion, and access control system events into a central logging/monitoring system. For small businesses this could be a cloud dashboard or local SIEM/Syslog collector. Configure event correlation: for example, door forced-open + camera motion = high-priority alert. Ensure the alarm system can trigger automated recording pre/post-event to capture context (pre-buffering) and forward alerts to designated staff via SMS/email or to a monitoring service.
Secure deployment and network considerations
Segment camera and alarm networks onto a dedicated VLAN with firewall rules allowing only management traffic from approved admin hosts. Use PoE (802.3af/at) switches for camera power and UPS on core network and NVRs. Harden device management: change default credentials, enable HTTPS/TLS for camera admin and RTSP streams, apply vendor updates quarterly or per CVE release, and disable unused services (Telnet/UPnP). For remote access use VPN or secure cloud portal with MFA; never expose camera management ports directly to the internet.
Operational practices, evidence and compliance documentation
Document retention policies, access control lists for video and alarm logs, and a process for exporting and preserving footage as forensic evidence. Maintain audit trails showing who accessed recordings and when; implement RBAC so only authorized roles can export or delete footage. In the SSP reference where cameras/alarms are located, storage sizes, retention periods, and the responsible owners. Collect evidence artifacts: device configs, screenshots of camera maps, NVR logs showing retention settings, incident reports, and routine test records to prove control implementation during assessments.
Testing, maintenance and training
Schedule periodic tests: walk tests for camera coverage (verify identification quality), intrusion system supervised health checks, and failover tests for UPS and NVR redundancy. Log all tests in maintenance records. Train reception and operations staff on alarm response procedures, evidence handling, and chain-of-custody for video exports. For small businesses, run quarterly tabletop exercises that simulate an after-hours break-in to validate alarm workflows and who gets notified.
Real-world small-business scenario
Example: A 30-employee engineering firm with a dedicated server room and a single public entrance. Deploy two exterior 4MP cameras covering the parking lot and main entrance, one interior camera positioned to view the reception area and badge reader, and one camera inside the server/telecom room (locked door). Add door contacts on the server room, a PIR sensor for after-hours motion, and an environmental sensor in the rack. Put cameras on a separate PoE VLAN, route NVR management through the IT admin VLAN, keep 60-day retention on local RAID1+hotspare NVR with weekly encrypted backups to cloud storage, and document all this in the SSP and monthly logs ā this configuration demonstrates a practical, cost-controlled implementation satisfying PE.L2-3.10.2 expectations.
Compliance tips and best practices
Map every camera/sensor to a line item in the SSP and include screenshots and storage calculations as evidence. Use automated alerts for device failures and review logs weekly for anomalies. Keep firmware up to date and subscribe to vendor advisories. Avoid "security by obscurity": label intrusion zones, maintain tamper seals, and record who does maintenance. If you cannot fully implement a control immediately, create and track a POA&M with specific milestones (procurement, installation, testing) and temporary compensating controls (increased physical patrols, lock improvements) until the system is online.
In summary, meeting PE.L2-3.10.2 requires a practical combination of correctly placed CCTV, reliable alarms and sensors, secure network and device configuration, documented retention and access controls, and routine testing and evidence collection. For small businesses, focus on well-scoped zones, documented decisions in the SSP, affordable but secure hardware choices, and demonstrable operational practices ā this combination will satisfy assessors and reduce the real-world risk of physical compromise to CUI.
