This post shows how to build an audit-ready physical security program that satisfies NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PE.L2-3.10.1 (limit physical access to Controlled Unclassified Information, CUI), with practical steps, technical implementation advice, small-business scenarios, and a ready-to-use checklist for auditors.
Understand the control and scope it for your environment
PE.L2-3.10.1 requires organizations to limit physical access to facilities and spaces containing CUI so only authorized individuals can access them; for Compliance Framework implementations you must map where CUI resides (workstations, file cabinets, server rooms, media storage, printers) and define boundaries and zones (public, restricted, secure). Start by doing an inventory of CUI types and the physical locations where that CUI is processed, stored, or displayed. For a small business that might be a single office, an off-site meeting room, and a cloud provider with a local on-prem backup box — each of those is a scope item.
Risk assessment and zoning — practical steps
Perform a simple physical security risk assessment that scores each location on factors such as CUI sensitivity, likelihood of unauthorized access, and impact. Use a three-zone model: public (reception, lobby), restricted (work areas with user laptops and printers), and secure (server room, locked cabinets, backup media). A small web-dev shop example: the public zone is the lobby and conference room, restricted zones are developer desks, and the secure zone is the locked IT closet with the NAS containing source and client data. Document the assessment and the rationale for zoning before implementing controls — auditors expect evidence of scoping and risk-based decisions.
Policies, procedures, and organizational controls
Create a short, targeted Physical Access Policy and supporting procedures that describe who can access which zones, the visitor escort process, badge issuance and revocation, key management, and how physical incidents are reported. Include HR integration procedures: onboarding forms that request access levels, and offboarding checklists that revoke badges, collect keys, and ensure account deprovisioning. For a small business this can be a one-page policy plus a few checklists; auditors want to see that the decisions are documented and followed consistently.
Technical controls and configuration details
Implement technical controls that enforce the policy: badge-based door readers with access control lists (ACLs), electronic locks on server cabinets, CCTV covering secure zones with tamper-proof storage, and tamper-evident seals for removable media. Configuration details auditors look for: each door reader must log badge ID, time stamp, and door ID; clocks synchronized via NTP; log retention policy (e.g., exportable CSV/PDF covering the audit period); and access control integration to your identity source (Active Directory, Azure AD) so badge deprovisioning happens automatically when HR disables accounts. For small businesses, cloud-managed access control (SaaS providers) offers low upfront cost and APIs for log export and automated revocation.
Cost-effective technical options for small businesses
If budget is limited, combine pragmatic measures: smart locks that generate audit logs, a cloud CCTV service that stores 90 days of footage, a tablet-based visitor sign-in that emails escorts and records visitor names, and rack-level cable/door locks for the NAS. Use MFA on laptops and full-disk encryption so a laptop stolen from a restricted area does not become CUI disclosure. Keep an offline inventory of media and an incremental encrypted backup stored in a locked container or a secure cloud with audit trails.
Operational controls, monitoring and audit evidence
Operationalize the controls: perform monthly access reviews (list of current badge holders and their authorized zones), quarterly physical inspections of locks and cameras, and logging of maintenance and incidents. Maintain evidence artifacts for auditors: the physical security policy, the CUI inventory and scope diagram, signed visitor logs, access control log exports, camera footage snapshots showing camera placement, access review spreadsheets, key assignment records, and training attendance records. A small business can prepare an evidence packet (PDFs organized by control) to expedite an auditor’s work.
Checklist — what to prepare for an audit (PE.L2-3.10.1)
- Documented CUI inventory and physical scope diagram (map of zones and where CUI lives) — evidence: diagram PDF and inventory spreadsheet.
- Physical Access Policy & Procedures — evidence: signed policy document and procedures for escorting, key management, badge issuance.
- Access control hardware in place for secure zones — evidence: photos, procurement invoices, device list with firmware versions.
- Door reader logs showing badge ID, timestamp, and door ID — evidence: exported logs for a sample period.
- Visitor management records and escort logs — evidence: sign-in sheets or electronic visitor log exports.
- Badge issuance and revocation records tied to HR events — evidence: onboarding/offboarding tickets and access change logs.
- Key and physical token inventory (who holds keys) — evidence: signed key assignment forms or ledger.
- CCTV placement and retention evidence — evidence: recorded clip, camera placement diagram, retention policy.
- Periodic access reviews and corrective action logs — evidence: review spreadsheets and change tickets.
- Server rack and media storage locks, and media handling procedures — evidence: photos and media chain-of-custody forms.
- Training records for physical security and CUI handling — evidence: training attendance lists, slides or sign-offs.
- Incident logs for physical security events and follow-up actions — evidence: incident report and remediation tickets.
- Maintenance records for physical security devices (battery changes, firmware updates) — evidence: maintenance schedule and completed tasks.
- Integration proof between identity system and access control (if used) — evidence: configuration screenshots, API/SCIM rules.
Common pitfalls, risks, and compliance tips
Risks of not implementing these controls include unauthorized access and exfiltration of CUI, loss of contracts, regulatory fines, and reputational damage. Common small-business pitfalls: not scoping CUI (so controls are misapplied), failing to revoke access promptly after termination, relying solely on physical locks without logging, and not retaining evidence for the auditor’s required timeframe. Tips: automate badge revocation with HR-driven workflows, schedule recurring access reviews in your calendar system, keep a single “evidence index” document that points to each artifact an auditor will request, and conduct a mock audit quarterly to find gaps.
In summary, meeting PE.L2-3.10.1 requires a focused mix of scoping, policy, technical controls, and operational discipline — all documented and measurable. For small businesses, prioritize identifying where CUI lives, implementing low-cost but auditable access controls, integrating access changes with HR, and keeping a compact evidence package (policy, logs, visitor records, access reviews, and camera snapshots). Follow the checklist above, run regular reviews, and you’ll be well-prepared to demonstrate compliance to auditors and protect your organization’s CUI.
