PE.L2-3.10.2 (mapped to NIST SP 800-171 Rev.2 physical protection requirements) requires organizations handling controlled unclassified information (CUI) to control and monitor physical access to systems and facilities — and auditors expect not only that controls exist, but that you can show consistent, verifiable evidence demonstrating implementation. This post gives a practical, audit-ready checklist, implementation notes tailored for the Compliance Framework, and small-business examples that you can use to build repeatable evidence packages for internal and third-party assessments.
Implementation guidance and key objectives
Key objectives for PE.L2-3.10.2 are straightforward: (1) prevent unauthorized physical access to CUI and systems that store or process it; (2) log and monitor access events; and (3) maintain verifiable evidence of control operation and change. Under the Compliance Framework practice model, your implementation must map specific physical controls (badging, locks, escorts, CCTV, door contacts) to the control statement, document procedures, and produce artifacts auditors can review — policy, configuration exports, logs, ticketing records, maintenance schedules, and training records.
Audit-ready checklist (actionable items)
Below is a compact, prioritized checklist to implement and prove PE.L2-3.10.2 compliance. Use it as a baseline and expand to reflect your environment and risk profile.
- Policy & Procedures: Maintain a Physical Security Policy and Visitor Access Procedure that reference CUI handling areas and approved escort/visitor rules; versioned and approved.
- Access Control Systems: Deploy electronic badge access (or keyed control backed by documented procedures) for CUI rooms; export access control configuration and periodic user lists (including join/leave timestamps).
- Visitor Logs & Badging: Maintain signed visitor logs or digital check-ins with the host, purpose, and timestamps; retain logs for a defined retention period (example: 1 year) and provide sample monthly rollups to auditors.
- Video Surveillance: Ensure cameras cover entry points to CUI areas; keep retention policy and sample footage exports (time-stamped and with chain-of-custody notes) for incidents or audits.
- Device & Door Monitoring: Use door contacts / intrusion sensors and integrate events into a centralized log (syslog/SIEM) with NTP-synced timestamps; export event searches that show alarms and clearances.
- Logical Integration: Disable physical access in HR/Identity Management workflows when an employee departs; provide change-control tickets showing deprovisioning and badge reclaim/destruction.
- Maintenance & Testing: Maintain monthly inspection checklists showing lock, sensor, and camera health, plus periodic tabletop / breach simulations with after-action reports.
- Evidence Packaging: For each control, collect: policy section, configuration export (CSV/PDF), 30–90 day event/log extract, incident/maintenance ticket, training attendance list, and a signed attestation of compliance from the facility owner.
Small-business scenario: a 30-person engineering firm with a single office hosting CUI can implement a cost-effective solution — onsite server rack inside a lockable room, a single PoE door controller with proximity badges, a two-camera setup (entry + rack), and a paper/digital visitor log. For audit evidence: export the door controller's user list and access history for a sample 30-day window, provide dated maintenance receipts for locks, scan visitor sign-in sheets for the same 30 days, and include the Physical Security Policy signed by the owner. That simple, consistent package typically satisfies an auditor tracing PE.L2-3.10.2 to actual controls.
Technical details auditors will look for include configuration and time synchronization: ensure all access control, camera, and sensor logs are NTP-synced to an authoritative time source; export logs in native and common text/CSV formats where possible. Configure cameras to embed timestamp overlays and use at least 720p resolution for entry points (1080p recommended if budget allows). For door controllers, document whether locks are fail-secure (remain locked on power loss) or fail-safe and justify the choice based on safety and mission needs. Integrate controller logs into your SIEM or central log store (syslog over TLS) so you can produce filtered queries showing specific badge IDs, door IDs, and timestamps during an audit.
Compliance tips and best practices: map each checklist item to the specific control statement in your Compliance Framework traceability matrix and keep the traceability matrix current. Use consistent naming conventions for cameras/doors (e.g., BLDG1-RM101-DoorA) so exported logs are intelligible. Train non-IT staff who manage visitor logs and badge issuance — include them in periodic awareness sessions and retain attendance sheets as artifact evidence. Automate evidence collection where possible (scheduled exports, SIEM dashboards, automated retention snapshots) to reduce manual effort during audits.
The risk of not implementing PE.L2-3.10.2 properly is both operational and contractual: unauthorized physical access can lead to data theft, hardware tampering, or loss of CUI integrity; for DoD-covered contracts, failure to prove compliance can lead to contract termination, loss of future business, and remediation orders. From a security perspective, gaps in physical controls are often exploited as the easiest path to bypass logical controls — tailgating an employee, accessing unlocked server racks, or removing storage devices. Auditors will not accept lip service — they need reproducible evidence that controls operate consistently.
Summary: Build a concise, repeatable audit package for PE.L2-3.10.2 by documenting policy and procedures, deploying measurable physical controls, integrating logs and time synchronization, and packaging a consistent set of artifacts (config exports, logs, tickets, training, and test results). For small businesses, prioritize simple, well-documented controls (badge access, visitor logs, cameras, regular inspections) and automate evidence collection. With a mapped traceability matrix and an evidence cookbook for auditors, you’ll convert physical security requirements from a compliance burden into a routine, demonstrable set of practices.
