This post shows a practical, step-by-step plan to implement NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PE.L2-3.10.1 — limiting physical access to authorized individuals — with specific technical details, policies, and small-business scenarios so you can produce assessment artifacts and operational controls that auditors expect.
Step-by-step implementation plan
Step 1 — Identify, classify, and zone CUI areas
Start by inventorying where Controlled Unclassified Information (CUI) is created, processed, stored, or discussed — for a small business this might include a single office area, a server closet, or employee laptops. Create a zone map that identifies CUI Zones (e.g., CUI Office, CUI Storage Room, Server Closet) and non-CUI zones. Example: a 25-person government contractor designates one conference room and one file room as "CUI Zones" and posts signs indicating access restrictions. Zones determine what level of physical control is required and what devices (badge readers, locks, cameras) are necessary.
Step 2 — Policy, approval workflow, and roles
Draft a short "Physical Access Control Policy" and supporting procedures: Access Approval Process, Visitor Management Procedure, Key and Badge Management, and Termination/Transfer Checklist. Define roles: Facility Security Officer (FSO), Badge Administrator, IT Owner, and Contracting Officer Representative (COR) approver. Example workflow: manager requests access via ticketing system → HR performs vetting/background check if required → FSO approves → Badge Admin programs badge into access control system. Keep signed access approval records and a Change Log as artifacts for assessors.
Step 3 — Implement physical and technical controls
Choose controls that match zone risk and budget. For exterior and interior doors into CUI Zones, use electronic door locks with badge readers (prefer OSDP-capable readers for encryption; Wiegand is legacy but common). For lock hardware choose ANSI/BHMA Grade 1 or 2 for entry points; simple file cabinets can use Grade 2 or tamper-evident seals. Integrate your access control system with your identity source: integrate via RADIUS/LDAP to Active Directory or a cloud IdP to centralize disable/enable actions. For higher assurance, deploy smart cards (PIV/CAC) or multi-factor authentication for door controllers that support it. Small-business example: a $4–6k package (controller, 2-3 readers, badges, strikes) plus cloud-managed cameras gives strong protection for a single office.
Step 4 — Operational controls: visitor handling, keys, and personnel changes
Operational controls enforce policy: require visitors to sign in, wear temporary badges, and be escorted in CUI Zones. Maintain a physical visitor log and an electronic audit trail (photo, ID used, escort name). Implement key control: issue physical keys sparingly, log issuance, and require return; consider rekeying locks when keys are lost. For personnel changes, implement a termination checklist that immediately disables badges and network accounts; test the process monthly. Small-business scenario: receptionist checks ID, creates a visitor ticket in the ticketing system, and an assigned escort escorts the visitor into the designated room — all recorded in the ticket and archived for the CMMC assessor.
Step 5 — Monitoring, logging, and verification
Collect and retain access logs and correlate events: door open/close, badge presented (success/failure), forced-entry alarms, and CCTV motion events. Time-synchronize devices with NTP and centralize logs to a SIEM or log server. Recommended retention: at least 90 days for CCTV (extend to 1+ year for logs related to incidents; keep audit artifacts for the period required by the contract). Periodically (monthly or quarterly) run access reviews — validate that assigned access matches personnel responsibilities and that terminated accounts are disabled. Technical tips: keep access control controllers on a segregated management VLAN, enforce TLS for management interfaces, change default credentials, and patch firmware on controllers and cameras promptly.
Compliance tips, best practices, and small-business examples
Make it proportional, documented, and demonstrable
For small businesses, apply proportional controls: a single-site firm can segregate a CUI room rather than refitting an entire facility. Document every decision: zone map, approval emails, configuration screenshots showing badge IDs and group memberships, visitor logs, and access-review spreadsheets. Example: keep a monthly "Access Review" spreadsheet signed by the FSO showing which badges were revoked and why — this is practical evidence for CMMC assessors. Use inexpensive managed services if needed: cloud-hosted access control and video systems reduce the operational burden while providing logs and exports.
Risks of non-implementation and compliance impact
Failing to limit physical access risks unauthorized disclosure, loss of CUI, contract default, and potential removal from the DoD supply chain. A physical breach can lead to lateral network compromise (if server closets are accessible) or direct theft of devices containing CUI. For assessors, missing documentation or ineffective access controls will generate findings and corrective action plans (POA&Ms), delaying certification and contract award or renewal. Real-world example: a small contractor that left its server closet unlocked experienced device theft and lost a contract after the breach investigation showed inadequate physical controls and no access logs.
Summary and practical checklist
In summary, implement PE.L2-3.10.1 by (1) inventorying and zoning CUI areas, (2) documenting approval workflows and roles, (3) installing appropriate locks/readers and integrating with identity systems, (4) enforcing visitor and key control processes, (5) centralizing logs and performing regular access reviews. Practical checklist: zone map, Physical Access Control Policy, signed access approvals, badge IDs with last-seen dates, visitor logs, camera snapshots tied to incidents, monthly access review evidence, and POA&M items tracked. Start small, document every step, and prioritize controls that reduce exposure to CUI — assessors want both technical enforcement and operational proof that only authorized individuals can physically access protected spaces.
