Small contractors that handle covered contractor information (CCI) or Controlled Unclassified Information (CUI) must apply simple, effective physical access controls to meet FAR 52.204-21 and CMMC 2.0 Level 1 PE.L1-B.1.VIII — “limit physical access to organizational systems and CUI.” This guide translates that requirement into practical steps you can implement on a small budget, including technical options, real-world examples, and compliance tips to make your controls demonstrable in an audit.
Overview — key objectives and what “limit physical access” means
The objective is straightforward: prevent unauthorized people from seeing, touching, or removing systems that store/process CUI (workstations, servers, removable media) and limit who can enter areas where CUI is handled. For small businesses that usually operate in leased office space, the controls are usually administrative (policies), physical (locks, racks, cabinets), and technical (badge readers, door sensors, cameras) working together. Documentation of the decisions and procedures is as important as the hardware you install.
Step-by-step implementation for small contractors
Step 1 — scope, asset inventory, and classification
Start with a one-page scope: list rooms (offices, server/IDF closet, storage, conference rooms), systems, and assets that store or process CCI/CUI (laptops, NAS, printers with HDDs). Tag each asset with an owner and classify whether the asset is required to be in a controlled area. Example: a 12-person subcontractor with a shared conference room classifies the CEO office and the server closet as “controlled.” This inventory drives which doors need stronger controls.
Step 2 — choose controls by risk and cost
For each controlled area select a control profile: basic (mechanical keyed locks + key control), mid (electronic door locks + visitor log), or advanced (networked access control with badge readers and logging). Technical notes: modern affordable systems use PoE door controllers and IP readers (cloud-managed vendors like Openpath, Kisi, or Yardi; expect ~$300–$800 per door plus subscription) or local controllers using RS-485/OSDP protocols for enterprise readers. If using card readers, prefer OSDP-capable readers over legacy Wiegand for improved security. For server racks, use lockable cabinets with rack-level locks; consider intrusion sensors (contact switches) wired into the access control or an alarm panel. If budget is tiny, use rekeyed high-security cylinder locks plus a tightly controlled key log and single spare key in a locked safe.
Step 3 — visitor management, escorting and credentialing
Implement a simple visitor policy: all visitors must sign in, wear a temporary badge, and be escorted unless explicitly pre-authorized. For recurring third parties (cleaning, IT contractors) create time-bound credentials with restricted door permissions. Use a visitor log (paper or electronic) that records name, company, host, entry/exit times and whether they were escorted; retain logs for a recommended period (e.g., 90–180 days) and include them in your compliance documentation. Make sure contractors and subcontractors are covered by your procedures in writing (SOW or brief access agreement).
Step 4 — monitoring, logging, and evidence preservation
Deploy monitoring appropriate to the risk: a camera at the main entry and outside any server closet is often sufficient for a small office. Use cameras with at least 1080p, timestamping, and secure storage (on-prem or cloud) with retention policy documented. Access control systems should generate tamper-evident logs that show who entered which door and when — integrate with your identity provider where possible (AD/Okta) for account correlation. Export a sample month of logs and keep an index as evidence for audits; if using cloud systems, enable audit logging and MFA for admin accounts.
Step 5 — training, procedures, and enforcement
Train staff annually on how to handle CUI, escort rules, badge/token handling, and reporting of lost badges. Maintain simple procedures: what to do if a door propped open, lost key card, or suspicious person is observed. Practical tip: appoint a “physical security owner” (an existing office manager is fine) and include physical security checks in weekly facility walk-throughs. Document each training session with attendee list and topics covered.
Step 6 — validate, test, and document
Perform quarterly control checks: test door lock operation, verify backup power for electric locks, review visitor logs, confirm cameras are recording, and check that server racks are locked. Keep a change log of any access privileges granted or revoked. For audits, produce: scope document, asset inventory, access control policy, visitor logs, sample access logs, camera retention policy, and evidence of training. If you share space with a landlord or other tenants, obtain documented agreements showing responsibilities for physical controls in common areas.
Real-world scenarios and tactical examples
Example 1 — 12-person subcontractor in a leased suite: rekey external office doors, install an electronic deadbolt on the server closet keyed to a single badge, use a hosted access control system for two doors ($20–30/month) and a single indoor 1080p camera with 90-day cloud retention. Example 2 — remote workforce with occasional on-site CUI: keep laptops in a lockable cabinet when not in use, use cable locks for high-value laptops, and require MFA for remote access; ensure that any CUI printed is stored in a locked drawer. These are low-cost implementations that satisfy the intent of limiting physical access.
Risk of not implementing physical access controls
Failure to limit physical access can lead to direct CUI exposure (printouts left in shared areas, unlocked server cabinets), theft of devices leading to credential compromise, loss of contracts, and contractual penalties under FAR clauses. Beyond contractual consequences, unauthorized access increases the chance of data exfiltration, lateral intrusion via stolen machines, and reputational damage that can cost more than the controls themselves. Auditors will expect documented controls; absence of evidence is treated as absence of control.
Summary — take incremental, documented steps: scope what must be protected, pick controls appropriate to the risk and budget, implement and log operations, train staff, and validate regularly. Even simple combinations of locks, visitor procedures, and monitored access logs will satisfy PE.L1-B.1.VIII when they are documented and enforced; make your evidence easy to produce and your controls easy to maintain, and you’ll be in a strong position for FAR and CMMC Level 1 assessments.
