This post provides a practical, step-by-step approach to building a physical access checklist mapped to FAR 52.204-21 and CMMC 2.0 Level 1 (PE.L1-B.1.VIII) that small businesses can implement, document, and use as evidence during audits or contractor assessments.
Why this checklist matters
FAR 52.204-21 requires basic safeguarding of contractor information systems and CMMC Level 1 maps to similar basic cyber hygiene, including limiting physical access to systems and information. For small businesses handling Covered Defense Information (CDI) or operating under government contracts, an auditable physical access checklist demonstrates that you have consistent controls—visitor management, entry control, workstation protection, and media storage—and that these controls are enforced, tested, and recorded.
Key objectives and scope for the Compliance Framework practice
The Compliance Framework practice objective here is to create a repeatable artifact showing identification of physical assets, applied controls, monitoring, and evidence retention. Scope the checklist to: (1) all rooms where CDI is processed or stored, (2) network closets and server cabinets, (3) endpoints used for contract work, and (4) portable media storage. Define what counts as "access" (human entry, use of removable media, remote maintenance) and who is in-scope (employees, contractors, visitors, vendors).
Step-by-step checklist — Plan: identify assets, points of entry, and risk
Start by mapping your physical environment: list exterior doors, reception areas, internal doors to workspaces, server/network cabinets, and storage (cabinets, safes). For each asset record: location, business purpose, whether CDI is present, access frequency, and current controls (locks, badge readers, CCTV). Example for a small business: single-floor office with a lockable server closet and two conference rooms—your list should include key IDs, door IDs, and the single external entry used by visitors.
Step-by-step checklist — Implement: technical controls and configuration details
Specify exact controls for each entry point: mechanical locks with key-control for low-risk areas; electronic badge readers (recommend OSDP over legacy Wiegand where possible for encryption and tamper resistance) for areas with CDI; door contacts and door position sensors for server closets; and CCTV covering entrances with minimum 1080p resolution and 30 fps for clear facial recognition. Configure controllers to use TLS-encrypted management channels, ensure NTP-synchronized timestamps on logs, and set retention for access logs and video to a contract-appropriate period (common practice: 90–365 days; document your choice). For power-fail behavior, use fail-secure on server closet doors (remain locked during power loss) and fail-safe on fire-exit doors. For small businesses, cloud-managed access control systems (Kisi, Openpath, Brivo) provide reasonable security and audit trails without costly onsite infrastructure—record vendor SLA, data retention, and log export procedures as part of the checklist.
Step-by-step checklist — Verify: testing, logging, and evidence collection
Include test steps and acceptance criteria: monthly check that badge readers grant/deny access per role, quarterly review of access control list (ACL) against current employee list, weekly automated alerting for door-forced-open events, and spot checks of visitor logs and escort policy enforcement. Capture evidence: screenshots of ACL, exported access-event CSVs with timestamps correlated to NTP, CCTV clips for selected events, photos of locks/cabinet serials, and signed visitor logs. For compliance evidence, store a zipped archive (logs + screenshots + sign-off) in a secured repository and record hash/checksum for tamper-evidence.
Step-by-step checklist — Maintain: training, audits, and incident integration
Document frequency and owner for ongoing tasks: annual physical-security training annotated in personnel records (covering escorting, reporting tailgating, and media handling), quarterly internal audits of the checklist, and an incident playbook that maps physical incidents (lost keys, tailgating, damaged locks) to incident response steps and notification requirements. For small businesses at co-working spaces, add contractual controls (dedicated locked rooms, signed access rules with building management) and a documented process for remote wipe or decommissioning of devices when an employee leaves.
Compliance tips, best practices, and small-business scenarios
Practical tips: use least-privilege access with role-based badges, enforce two-person access for server closets for sensitive operations, timestamp and NTP-sync every log source for correlation, and retain artifacts with a simple naming convention (e.g., "PhysicalAccess_Audit_2026-04-01.zip"). Example scenarios: (A) A 10-person defense subcontractor uses a keyed server cabinet—upgrade to a badge-controlled cabinet or log key issuance and require dual custody for keys; (B) A small shop in a co-working space rotates employees—use encrypted external hard-storage safe and require a company-approved locking container. Best practices include mapping each checklist item back to the Compliance Framework evidence requirement, keeping ownership and review dates visible in the checklist, and automating exports of access logs to your SIEM or secure cloud storage for long-term retention and forensic readiness.
Risks of not implementing the requirement
Without a documented and enforced physical access checklist you risk unauthorized access to CDI, loss or theft of sensitive media, failed contract audits, contract termination, and regulatory fines. Operationally, a single unlocked server closet or unattended workstation can lead to lateral compromise of systems, exfiltration of data, or social-engineering attacks. The financial and reputational costs for a small business can be catastrophic—losing the ability to bid on or retain government contracts is a realistic outcome.
Summary: Build a clear, auditable physical access checklist that maps locations and controls to the Compliance Framework requirements, includes technical details (badge readers, CCTV specs, log retention), defines testing and evidence collection steps, and assigns owners for ongoing maintenance—this practical approach reduces risk and provides defensible evidence for FAR 52.204-21 and CMMC 2.0 Level 1 compliance.
