This guide shows how to implement FAR 52.204-21 / CMMC 2.0 Level 1 control PE.L1-B.1.VIII—limiting physical access to information systems—by walking through scoping, low-cost technical controls, policies, monitoring, and evidence collection that a small business can practically deploy to meet Compliance Framework requirements.
Why limiting physical access matters for Compliance Framework
FAR 52.204-21 and CMMC Level 1 require basic safeguarding of contractor information systems to prevent unauthorized disclosure, tampering, and theft of Federal Contract Information (FCI). The physical entry point is a primary attack vector: a malicious actor with physical access can bypass many software controls, steal devices with unencrypted data, or introduce malware on removable media. For Compliance Framework alignment, the objective is to reduce those risks to an auditable, repeatable baseline that a small business can defend and document.
Scope, planning, and scoping worksheet
Begin by scoping which systems and areas contain covered information. Create a simple scoping worksheet: list rooms, closets, desks, and endpoints (PCs, laptops, servers, network gear, removable media) and mark whether they process, store or transmit FCI. Tag each asset with an inventory ID (barcode or QR) and classify the area as public, restricted, or secured (e.g., reception vs. server closet). This inventory is the compliance artifact you will use in assessment and should be updated when assets move or are retired.
Step-by-step implementation: physical barriers and access control
1) Layer 1 — Perimeter and entry control
Install basic physical barriers appropriate for the risk. For many small businesses this means: a locked front door with keypad or card reader, a reception procedure for guests, and clear signage. Use cloud-managed badge systems (Openpath, Kisi-style) or local keypad locks if budget is tight—ensure credential management (issue/revoke badges) is tracked. Configure doors with fail-secure hardware where needed and document door hardware model and configuration in the control register.
2) Layer 2 — Controlled zones for systems
Define controlled zones for sensitive devices: server closets, network cabinets, desks where FCI is regularly accessed. Use physical locks (keyed or electronic) rated appropriately—ANSI/BHMA Grade 1/2 hardware for server rooms is recommended when affordable. Mount equipment in lockable racks; secure unmanaged routers and Wi‑Fi controllers in locked enclosures. For small businesses, a keyed cabinet and a rack-mount lock may be sufficient if combined with other controls.
3) Layer 3 — Device protection and anti-theft
Apply perimeter controls at the device level: enable full-disk encryption (BitLocker or FileVault) on laptops and desktops, set BIOS/UEFI passwords to prevent booting from external media, and use cable locks for workstations in open areas. Disable or control USB ports via OS group policy where possible (whitelist approved devices). Keep spare keys and recovery tokens in a safe or with a designated security custodian and document chain-of-custody for issuing those items.
Monitoring, logging, and procedural controls
Monitoring converts controls into evidence. Deploy motion-aware PoE cameras covering server rooms and main entry points (retain video per policy—30–90 days is common but align with contract/privacy rules). Maintain a visitor log (paper or digital) that captures name, company, purpose, time in/out, and host; keep visitor records for a period determined by contract (commonly 1 year). Record badge issuance and revocation in an access control log and produce periodic reports (e.g., monthly). For technical logging, forward physical access logs and camera events to a secure location (SIEM or an encrypted file store) so they can be produced in an audit.
Real-world small-business scenarios and examples
Example A: A 12-person engineering firm handling FCI places all development laptops in a locked office when not in use, requires BitLocker with TPM+PIN, and issues RFID badges to staff via a cloud access control system. They retain badge logs for 90 days and export monthly reports for their compliance binder. Example B: A design shop with limited budget uses a keypad lock for the back office, cable-locks for laptops, and a paper visitor log; they perform quarterly spot checks to ensure devices are locked and inventory tags are present—these spot check reports are part of the Compliance Framework evidence package.
Risks of non-implementation and compliance tips
Not implementing these controls exposes you to data theft, contractor repudiation, suspension of contract work, and regulatory penalties. For small businesses the most common failures are poor asset inventory, unchecked guest access, and unencrypted portable devices. Compliance tips: (1) document everything—policies, asset inventory, badge issuance, and logs; (2) prioritize high-impact, low-cost controls first (full-disk encryption, locks on server closets, visitor logs); (3) automate reporting where possible using cloud-managed access control and camera systems to reduce administrative burden; (4) schedule quarterly reviews and an annual tabletop to validate procedures.
Conclusion
Limiting physical access to information systems for FAR 52.204-21 / CMMC 2.0 Level 1 is achievable for small businesses with a pragmatic blend of policy, procedural hygiene, low-cost hardware, and monitoring. Start by scoping assets, implement layered physical and device-level controls, maintain logs and evidence, and validate controls through regular reviews. These steps reduce the risk of unauthorized access, provide auditable evidence for assessments, and form a repeatable compliance posture aligned with the Compliance Framework.
