Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - PE.L2-3.10.2 – Protect and monitor the physical facility and support infrastructure for organizational systems.
Understanding the Requirement
This control (NIST SP 800-171 REV.2 / CMMC 2.0 Level 2) requires that you both limit and observe physical access to the spaces where systems and their supporting infrastructure live. Practically, that means preventing unauthorized entry to server rooms, electrical closets and wiring paths, and ensuring those spaces and devices are monitored so tampering, theft, or accidental disruptions are detected quickly. The objectives include protecting the physical facility and support infrastructure and putting monitoring in place for both to reduce risk to your IT systems and data.
Technical Implementation
- Lock and control access to critical spaces. Keep server rooms, electrical closets and network cabinets locked with keyed locks, electronic locks, or badge readers. Maintain an access roster with role-based permissions so only authorized staff (IT admins, facility personnel) can enter; review and remove access promptly when roles change.
- Secure cabling and power paths. Run network and power cables in conduits or ceiling trays where possible; label both ends and bundle cables to avoid accidental unplugging. For small offices, use lockable network cabinets and secure power strips or PDUs inside the cabinet to prevent accidental disruption.
- Deploy affordable monitoring. Install surveillance cameras covering entrances, server rooms and key infrastructure locations. Use cameras that support motion detection and event retention (30–90 days depending on space and budget). If cameras aren’t feasible everywhere, use door/window sensors and tamper switches on cabinets to provide alerts.
- Log and review physical access and events. Integrate electronic locks, camera event logs and sensor alerts into a simple logging solution or SIEM if available. Define a schedule for daily or weekly review of access logs and camera snapshots, and escalate suspicious events to designated staff immediately.
- Protect environmental and power infrastructure. Use UPS units for critical servers and network gear; lock or secure UPS cabinets and switchgear. Maintain basic environmental monitoring (temperature/humidity) and integrate alarms for HVAC or power failures so you can respond before equipment is damaged.
- Operational controls and testing. Create simple written procedures for visitor escorting, tailgating prevention, and contractor access. Conduct periodic physical inspections and quarterly tests of alarms, camera recording, and access control to ensure systems work and configurations remain current.
Example in a Small or Medium Business
Acme Design Co., a 40-person firm, decides to harden their physical security after a brief outage caused by an accidentally unplugged switch. They install a lockable network cabinet in a small locked IT room and configure an electronic keypad with a code restricted to two IT staff and one facilities manager. Network and power cables into critical devices are routed through a ceiling tray and labeled to reduce accidental pulls during desk moves. Two PoE cameras are placed to cover the main entrance and the IT room doorway; camera footage is retained for 45 days on a local NVR. Door contact sensors are added to the IT room and tied to the company’s alerting system so on-call staff receive text notifications for unexpected openings after hours. Acme documents a visitor escort policy, requires contractors to check in with reception, and reviews access codes and camera logs every month. They also added a small UPS to networking gear and a temperature sensor in the IT room to catch environmental problems early.
Summary
Combining straightforward policies (access rosters, visitor escorting, and review routines) with practical technical controls (locks, secure cabling, cameras, UPS and sensors) meets the requirement to protect and monitor the physical facility and its support infrastructure. For SMBs these measures are scalable and cost-effective: they reduce the chance of accidental outages, detect tampering or intrusions quickly, and create auditable logs to support incident response and compliance efforts.
