This post explains, in practical steps and with real-world small-business examples, how to perform a gap assessment and build a remediation plan for PE.L1-B.1.IX (the CMMC 2.0 Level 1 / FAR 52.204-21 physical protection-related control), so you can demonstrate compliance, reduce risk, and prepare evidence for audits or contract reviews.
Understanding PE.L1-B.1.IX and the compliance objective
At CMMC Level 1 (and the FAR 52.204-21 basic safeguarding requirement), PE.L1-B.1.IX focuses on preventing unauthorized physical access to systems and information that handle Federal Contract Information (FCI). The core objective is simple: ensure only authorized personnel can access rooms, devices, and media that contain covered information. For small businesses, this typically covers office spaces, server closets, laptops, removable media, and any shared devices.
Scoping: define boundaries before you start
Begin your gap assessment by scoping: identify where FCI resides or transits. Create a simple inventory of physical locations (offices, conference rooms, storage areas), devices (workstations, laptops, printers, NAS), and media (USB drives, external HDDs, printed documents). For small businesses, include remote workers' home offices and co-working spaces in scope—if home laptops access FCI, their physical security counts. Record each asset's owner, location, and category (stationary device, mobile device, removable media, paper).
Example: scoping for a 12-person contractor
Example: a 12-person subcontractor has a single leased office, 6 laptops, 2 desktop workstations, a networked printer, and occasional on-site visits by customer personnel. Scope includes the locked office, a server rack in a closet, all laptops (even those used remotely), and a printed binder of contract data stored in a locked filing cabinet. The assessment should explicitly call out each of these.
Gap assessment steps and evidence collection
Run a checklist-based assessment for each scoped item. For physical access controls, verify: (a) presence of locks (office doors, server cabinets), (b) access control procedures (visitor sign-in, escorting), (c) logging/audit evidence (keycard logs or lock audit trails), (d) media protection (locked storage for removable media and printed documents), and (e) endpoint physical protections (cable locks for laptops at the office, secure storage for devices overnight). Capture photographic evidence, policy documents, and system logs where available.
Tools and techniques for efficient assessment
Use a simple spreadsheet or a ticketing template that lists control objectives, current state, evidence links, and a risk rating (e.g., High/Medium/Low). For example: "Server closet unlocked during business hours" (Evidence: photo; Risk: Medium). Technical checks can include attempting a simulated drive insertion on a workstation (with permission) to see if USB ports are physically or policy-blocked, or validating that BitLocker is enabled on all laptops by checking encryption status via Microsoft Intune or a local management console.
Risk scoring and prioritization
Prioritize gaps that enable immediate unauthorized access to FCI: unsecured server closets, shared office doors without locks, unencrypted laptops, or removable media stored in unlocked locations. Assign a risk score that factors in likelihood and impact—e.g., a lost unencrypted laptop with FCI = High. For small businesses with limited resources, prioritize low-cost, high-impact mitigations first: enforce laptop encryption, implement visitor logs, and lock server closets.
Build a practical remediation plan
Turn assessments into a remediation plan with clear actions, owners, deadlines, and acceptance criteria. Structure the plan by buckets: Quick Wins (0–30 days), Medium-term (30–90 days), and Long-term (>90 days). Quick Wins might include enabling BitLocker, creating a visitor sign-in sheet and policy, and adding cable locks to in-office laptops. Medium-term actions can be installing keypad locks or smart locks with audit trails on the main office door and server closet, and implementing USB port control via group policy. Long-term items could include CCTV for entry points and formal vendor contracts for managed lock systems.
Sample remediation item with acceptance criteria
Remediation: "Install an electronic keypad lock on server closet." Owner: Office Manager / IT Lead. Deadline: 45 days. Acceptance criteria: photographs of installed lock, exported audit log showing at least one valid code entry, updated access control policy listing authorized personnel, and test evidence that unauthorized code does not open door. Track progress in a central ticket and attach evidence to the ticket when complete.
Technical details and small-business cost-effective controls
For small organizations, practical technical controls include: enabling full-disk encryption (BitLocker or FileVault) on all laptops; disabling or restricting USB ports via OS settings or endpoint management (Intune, Jamf); using smart locks with audit capability (Yale/Schlage with cloud logs) or inexpensive keypad locks with changeable codes; using locked filing cabinets for printed FCI; and employing VLAN segmentation and NAC to limit what a guest device can reach if physically plugged into your network. These measures balance cost and compliance—e.g., a keypad lock ($100–300) and BitLocker (included in Windows Pro) are inexpensive but effective.
Compliance tips, documentation, and evidence for auditors
Auditors want to see reproducible evidence: policies that cover physical access, visitor logs, photos of locked areas, exportable logs from electronic locks, screenshots or reports proving device encryption, and signed training records showing employees were briefed on physical protection procedures. Maintain a remediation tracker with status, owner, completion date, and attachments. Also include a small-business-specific "acceptance test" for each remediation (e.g., on-site demo with auditor or screenshot log exports).
Risks of non-implementation
Failing to implement PE.L1-B.1.IX exposes your business to tangible risks: unauthorized access to FCI, data breaches, contract non-compliance that can lead to penalties or contract termination, reputational damage, and downstream impacts like loss of eligibility for future federal contracts. For small companies, a single lost unencrypted laptop or unlocked server closet can quickly escalate to a reportable incident and expensive response activities.
Summary: Conduct a scoped, checklist-driven gap assessment; collect verifiable evidence; prioritize high-risk, low-cost mitigations first; create a remediation plan with owners and acceptance criteria; and maintain documentation for auditors. By following these practical steps and examples—like enabling full-disk encryption, using keyed or electronic locks with audit trails, enforcing visitor procedures, and tracking remediation progress—you can cost-effectively meet PE.L1-B.1.IX requirements under FAR 52.204-21 and CMMC 2.0 Level 1 and significantly reduce the risk of unauthorized physical access to FCI.
