Requirement
FAR 52.204-21 / CMMC 2.0 Level 1 - Control - PE.L1-B.1.VIII – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Understanding the Requirement
Under the FAR 52.204-21 / CMMC 2.0 Level 1 framework, this control requires you to prevent unauthorized people from reaching your information systems, the hardware that supports them, and the work areas where sensitive DoD-related activity takes place. In practice that means identifying who is authorized, keeping servers, workstations, printers, and CUI storage under restricted access, and ensuring operating environments (server rooms, development areas, contract work zones) are physically limited to approved personnel only.
Technical Implementation
-
Classify and map physical zones.
Create a simple floor map that labels public, general staff, and sensitive areas (server room, network closets, contract workspaces, CUI storage). Use the map to decide where locks, monitoring, and stricter access controls are required. For SMBs this can be a single-page diagram maintained by IT or facilities.
-
Install practical access controls.
Use keyed locks or electronic card readers for sensitive doors. For many small businesses, a badge system or smart cards at the main entrance and server room is an affordable and scalable option. Keep a documented list of who has keys/badges, and require authorization before issuing or reissuing credentials.
-
Secure equipment and CUI media.
Keep servers, switches, and backup media in locked racks or a locked server room. Store hard drives, backup tapes, and paperwork with CUI in locked cabinets or safes. Printers and fax machines that handle CUI should be located inside restricted zones or equipped with pull-print solutions so output is collected only by authorized staff.
-
Visitor management and physical escorts.
Require visitors to sign in, wear temporary badges, and be escorted in sensitive areas. Maintain a visitor log (digital or paper) that records who visited, what area they accessed, and who authorized the visit. For short projects or single-room offices, designate a staff member to monitor visitors whenever sensitive work is occurring.
-
Operate a simple key/card lifecycle and audit process.
Assign a single owner for physical access credentials who performs periodic audits (quarterly or biannually) to remove access for terminated or transferred staff and to reconcile issued keys/cards against active personnel. Destroy or sanitize retired access cards and rekey locks if a key is lost or a card is compromised.
-
Train staff and document procedures.
Provide short, role-specific training so employees know how to challenge tailgating, where CUI may be stored, and how to request access. Document your physical access policy, authorization workflow, and incident reporting procedures so implementation is consistent and auditable.
Example in a Small or Medium Business
The company is a 35-person engineering firm that recently won a small DoD subcontract. Management identifies the server room, a shared conference room used for contract reviews, and desks where CUI is processed as sensitive areas. They install a badge reader at the main entrance and a separate reader on the server room door; badges are required to enter either area. The IT lead maintains an access roster that lists authorized personnel and approvals from contract managers. Printers used for contract documents are moved into a locked supply closet; employees must badge in to retrieve printed CUI. Visitors sign in at reception, receive a visitor badge that expires at day end, and are escorted when entering restricted areas. Quarterly checks are scheduled to reconcile issued badges with active staff and to verify locks and readers are functioning. When an employee departs, the badge is deactivated immediately and the access roster updated, reducing the risk that former personnel retain physical access to systems or CUI.
Summary
Limiting physical access combines simple policy decisions (who is authorized, documentation of access decisions, visitor and badge procedures) with practical technical controls (locks, badge readers, locked storage, and monitored printers). For SMBs the most effective approach is to map sensitive zones, use affordable access controls, maintain a clear owner for credential management, train staff to enforce rules, and perform periodic audits. Together these measures reduce the risk of unauthorized physical access to systems, equipment, and operating environments that handle CUI and DoD-related work.
