This post walks a small business through a practical, auditable 7-step process to conduct a physical access gap assessment that maps to FAR 52.204-21 and CMMC 2.0 Level 1 Control PE.L1-B.1.VIII, including concrete examples, technical checks, and remediation action items you can implement this week.
Background: why the physical access gap assessment matters for Compliance Framework
FAR 52.204-21 requires basic safeguarding of contractor information systems that process Federal Contract Information (FCI), and CMMC 2.0 Level 1 expects similar basic protections for handling unclassified but government-related data; PE.L1-B.1.VIII specifically calls for assessing physical access controls. Failing to conduct a gap assessment increases risks such as unauthorized onsite access to laptops or hard copies, inadvertent exposure of FCI/CUI, contract penalties, loss of future contracting opportunities, and supply-chain ramifications. For small businesses operating in shared office suites or multi-tenant buildings, this frequently overlooked risk is high—server cabinets in a coworking room or an unlocked spare office can expose FCI. Best practice under the Compliance Framework is to document scope, findings, evidence (photos, floorplans, logs), and a prioritized remediation plan so auditors and contracting officers can verify corrective actions.
7-Step Physical Access Gap Assessment
Step 1 — Define scope and objectives
Start by defining what you are protecting (FCI, CUI, workstations, servers, paper records), where it lives (offices, server closets, shared spaces, remote employee homes), and assessment objectives (identify unauthorized access paths, verify existing controls, produce remediation plan). For Compliance Framework alignment, explicitly state that the objective is to meet FAR 52.204-21 / CMMC PE.L1-B.1.VIII. Example: "Scope: main office floor (3 rooms), server closet, and receptionist area; Objective: confirm that all locations preventing unauthorized access to FCI are controlled or have documented compensating controls."
Step 2 — Inventory assets and classify zones
Create a quick asset inventory and classify facility zones by sensitivity (High: server room, locked file cabinets with FCI; Medium: workstations processing FCI; Low: lobby). Use a spreadsheet with columns for asset, location, owner, sensitivity, and evidence (photo, serial #). For small businesses, note shared infrastructure: if your office sits in a multi-tenant suite, mark shared corridors and elevators as lower control areas and identify where FCI enters higher-sensitivity zones (e.g., employee bringing a laptop past the lobby).
Step 3 — Map existing physical controls to a baseline
Document current controls: door hardware (deadbolts, electronic strikes, magnetic locks), access control systems (badges, PINs), visitor management (sign-in logs, escorts), CCTV (resolution, night vision, retention), locks on cabinets, and environmental controls for server spaces. Specify technical details: camera resolution (≥1080p recommended for identifying faces), field of view and placement (cover ingress/egress points, interior rack faces), access control system log retention (recommend 90 days minimum for incident investigations), and backup power for electronic locks. Map each control to the Compliance Framework requirement (e.g., "Badge access to server closet — matches PE.L1-B.1.VIII if logs retained and access limited to authorized personnel").
Step 4 — Perform physical inspection and tests
Walk the site with a checklist and take timestamped photos and floorplan annotations. Tests to perform: attempt badge/credential access (with permission) to ensure revocation works; check door prop detection (contact sensors); verify that windows and secondary exits are secured; inspect lock types (cylinder, mortise, electronic) and key control procedures; review CCTV angles and attempt a sample face match with recorded footage. For small offices, simulate common threats: delivery person access, contractor tradespeople, cleaning crews. Document each failed control as a discrete gap with severity (Critical/High/Medium/Low).
Step 5 — Analyze gaps and prioritize by risk
Convert findings into a gap register that lists the location, gap description, impact (loss of confidentiality, integrity, availability), likelihood, and recommended fix. Use a simple risk matrix: Critical = direct access to FCI or server equipment with no lock; High = shared office with unlocked workstations; Medium = CCTV blind spot; Low = inconsistent visitor log handwriting. For example, an unlocked server closet in a building where contractors frequently pass through is Critical: prioritize immediate remediation (add badge control, change locks, or enforce escorts).
Step 6 — Produce a remediation plan and implement compensating controls
Create a remediation plan with owner, timeline, cost estimate, and acceptance criteria for each gap. Small-business-friendly mitigation: if you can’t upgrade to electronic access immediately, implement compensating controls—store CUI in locked safes, require escorted visitors, enforce workstation lock screens with a 5-minute timeout, and use cable locks on laptops. Technical fixes: install a simple cloud-managed access control system ($300–$800 per door) that provides event logs; replace low-security cylindrical locks with Grade 2/3 deadbolts for server closets; add motion sensors to record after-hours movement. Ensure each fix has evidence artifacts (purchase receipts, installation photos, updated floorplans, test logs) for Compliance Framework audits.</p>
Step 7 — Validate, document, and schedule continuous checks
After remediation, retest each control and produce a validation report: before/after photos, test logs (badge entries for 30 days), and a signed attestation from facility owner or manager. Integrate periodic checks into your security calendar (quarterly walkthroughs, annual full assessments) and add physical access monitoring to your incident response plan (who investigates a badge anomaly, how long to preserve footage). For small businesses, automate reminders in your calendar or ticketing system and keep a binder or secure folder with current policies, visitor logs, and assessment reports for Contracting Officer verification.
Conclusion
Conducting a physical access gap assessment to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 PE.L1-B.1.VIII is practical and affordable for small businesses when approached methodically: define scope, inventory and classify, map controls, test, analyze, remediate, and validate. Use clear documentation, prioritized remediation, and simple compensating controls where needed—capture evidence (photos, logs, receipts) to demonstrate compliance under the Compliance Framework. Doing this reduces the risk of unauthorized access to FCI/CUI, protects your contracts, and builds a repeatable process that scales as your organization grows.
