This post is a practical implementation checklist to help small businesses meet PE.L2-3.10.1 (Limit physical access to organizational systems, equipment, and the respective operating environments to authorized personnel) under the Compliance Framework mapping for NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2, and to prepare the evidence an assessor expects to see during an evaluation.
What assessors expect to see
An assessor will look for documented intent (policy and procedures), a defined scope (where CUI and systems that store/process CUI are located), and operational evidence showing the access controls are implemented and working. Evidence typically includes a site map that identifies controlled areas, access control lists (who is authorized), badge issuance records, door controller logs showing entries and denies, visitor logs, camera placement photos, configuration snapshots of access control systems, and records of periodic access reviews. For Compliance Framework audits the narrative must map these artifacts to PE.L2-3.10.1 and show that the organization limits physical access to authorized personnel only.
Step-by-step implementation checklist (practical)
1) Scope: Identify all rooms, cabinets, vehicles, and remote work locations where CUI or systems that process CUI may be present. Create a "CUI locus" site map (PDF). 2) Policy & procedure: Draft a brief Physical Access Policy and a Badge/Visitor SOP that define who can be granted access, approval authority, onboarding/offboarding steps, and how violations are handled. 3) Controls: Install simple physical controls appropriate to a small business — locks on doors, server cabinet locks, badge readers or keypad locks, CCTV covering entrances and CUI storage areas. 4) Assign roles: Appoint a Physical Security Owner and at least one alternate; document their responsibilities in a Control Owner RACI. 5) Onboarding/offboarding: Implement a badge issuance and revocation process tied to HR (or a ticketing system) that disables badges within 24 hours of separation or role change; document and demonstrate with tickets.
Technical implementation details (what to configure and collect)
Use access control hardware/software that produces signed audit logs (examples: Openpath, Kisi, HID, or legacy PACS). Configure the controller to: (a) sync time with NTP, (b) export logs to a central syslog/SIEM (e.g., Splunk, ELK, or a managed cloud log bucket), and (c) retain logs per your retention policy. Typical recommended retention for access controller logs and CCTV is 90 days minimum unless contract or risk assessment requires longer. Capture configuration screenshots (version, firmware), export a sample log covering a recent 30-day window (redact PII if necessary), and export an "access denied" sample to show enforcement. Integrate badge disable with your identity source (AD/Okta) where possible so you can show automated revocation events. Use SHA256 checksums for exported evidence files and store them in a read-only evidence folder or VDR to show integrity to assessors.
Real-world small-business scenarios and examples
Scenario A — Small office with CUI in a locked room: Implement a keyed lock with badge reader on the server/CUI room, post a site map, and maintain a physical visitor log for that room. Evidence: photo of the locked door, visitor log PDF, access control log, and the "Room Access Approval" form signed by the manager. Scenario B — Co-working space: If you host CUI in a shared office, negotiate a written MOU with the landlord/co-working provider that documents physical security responsibilities and restricted access hours, and keep encrypted devices in a locked cabinet when on site. Scenario C — Remote workers: Treat home offices as out-of-scope physically but require full-disk encryption, documented storage procedures, and that CUI-containing devices are returned or wiped on separation — include remote attestation and shipping logs as part of your evidence set.
Artifacts to prepare — a concrete evidence list
Produce a named evidence bundle that an assessor can walk through. Example artifacts and filenames: PE_L2-3.10.1_PhysicalAccessPolicy_v1.0.pdf, PE_L2_SiteMap_CUI_Locus_OfficeA.pdf, PE_L2_BadgeIssuanceLog_2026-Q1.csv, PE_L2_AccessControl_Audit_2026-04_30days.zip, PE_L2_CCTV_Snapshot_MainEntrance.jpg, PE_L2_AccessReview_Report_2026-03.pdf, PE_L2_Revocation_Tickets_2026.csv, PE_L2_MOU_Coworking_2025-11.pdf, PE_L2_ControlNarrative_PE-L2-3.10.1.docx. Include checksums like PE_L2-Checksums_SHA256.txt and a one-page "evidence map" that tells the assessor which file maps to which requirement sentence.
Compliance tips and best practices
1) Start with a short control narrative (1 page) that maps each artifact to the control requirement — assessors love concise mapping. 2) Redact PII but preserve context (e.g., replace employee SSNs with "REDACTED-EMP-001" and provide a redaction log). 3) Perform a mock assessment (tabletop and walk-through) to reproduce the assessor's line of questioning; capture a short video showing a badge being used and a denied attempt. 4) Automate evidence collection where possible: scheduled exports of door logs, automated snapshot of badge directory, and retention enforcement. 5) For retention, document the rationale (risk assessment) for the chosen retention period; don't invent numbers without justification.
Failure to implement PE.L2-3.10.1 properly risks unauthorized physical access, theft or tampering of devices holding CUI, chain-of-custody gaps for incident response, contract suspension or loss, and reputational harm. For small businesses this often manifests as lost contracts or the inability to respond convincingly during an assessment, creating costly remediation timelines and potential exclusions from future government work.
Summary: Treat PE.L2-3.10.1 as a focused, evidence-driven control: scope your CUI loci, document policy and procedures, implement appropriately-scaled physical controls, integrate access mechanisms with identity and logging systems, and prepare a clear evidence bundle with a control narrative and hashed artifacts. For small businesses, prioritize simple, demonstrable controls (locked rooms, badge or keypad logs, visitor logs, and documented revocation processes) and automate exports so you can reliably produce assessor-ready evidence on demand.
