Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - PE.L2-3.10.1 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Understanding the Requirement
This control (from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2) requires that an organization identify who is authorized to enter its facilities and specific sensitive areas, and ensure only those authorized people can access information systems, equipment, and operating environments that contain or process Controlled Unclassified Information (CUI). In practice that means classifying facility areas as sensitive or non-sensitive, keeping servers, network devices, CUI-containing media, and CUI paperwork in locked rooms or containers, and using administrative and technical controls (badges, keys, visitor procedures, and reviewed access lists) so only approved personnel can reach those assets.
Technical Implementation
- Map and classify physical areas and assets. Create a simple inventory of offices, server rooms, closets, printers that may handle CUI, and label areas as non-sensitive, sensitive, or restricted. This inventory drives what controls are required and who should have access.
- Deploy access control on sensitive entry points. Install locks or electronic readers (smart cards, prox badges, or keypad+PIN) on server rooms, network closets, and dedicated CUI workspaces. Configure badge access rules so only authorized job roles or named users can open those doors; set schedules if appropriate.
- Establish a formal authorization and review process. Maintain an access roster tied to HR/job roles and a documented approval workflow for granting physical access. Review and reconcile the roster at least quarterly and immediately remove access for terminated or role-changed staff.
- Protect portable media and paperwork. Store hard drives, backup media, and CUI paperwork in locked cabinets/containers when not in use. Enforce a check-in/check-out process and log custody changes for sensitive media.
- Control shared devices and output. Place printers, fax machines, and multi‑function devices that may print CUI in secured areas or require badge release for print jobs (pull-print). Position these devices where unauthorized visitors cannot retrieve outputs.
- Implement visitor, escort, and key management procedures. Require visitor sign-in, issue temporary badges, enforce escorts in sensitive areas, and keep issuance/return logs for physical keys. Use key control practices (limited distribution, inventory, regular audits) and consider rekeying after lost keys.
- Use monitoring and alerts for critical areas. Add CCTV, door contact sensors, and basic alarm notifications for server rooms and CUI storage. Even simple cloud-managed cameras and door sensors can provide evidence and alert on unauthorized entry for SMBs.
Example in a Small or Medium Business
Acme Tech is a 40-person subcontractor working on DoD projects that produce CUI. They classify their lobby and open office as non-sensitive, and their server room, two engineering labs, and the records closet as sensitive. The company installs a smart-card reader on the main entrance and on the server room door; all employees get smart cards tied to their personnel record. Only members of IT and authorized engineers have server-room access, granted through HR-approved access requests and logged in the access roster. Printers that handle CUI are moved into the engineering lab and require badge release for print jobs; paper copies are stored in a locked cabinet when not actively used. Visitors must sign in at reception, receive a temporary badge, and be escorted in sensitive areas; a receptionist checks the visitor log daily. When an engineer leaves the company, HR notifies IT and security, the smart-card is deactivated the same day, and the access roster is updated. Quarterly audits reconcile physical access lists with current employees and spot-check the locks and cameras to ensure everything functions as expected.
Summary
Combining clear policy (area classification, authorization workflows, visitor and key procedures) with practical technical measures (locks, badge readers, locked storage for CUI, printer controls, and basic monitoring) lets SMBs reliably limit physical access to only authorized individuals. These controls reduce the risk of unauthorized access to systems and CUI, and when paired with periodic review and fast offboarding, create a simple, maintainable physical security posture that meets the intent of PE.L2-3.10.1.
