PE.L2-3.10.1 requires organizations to limit physical access to facilities, systems, and areas where Controlled Unclassified Information (CUI) is created, processed, stored, or transmitted; this guide provides step-by-step, practical instructions for small to mid-sized organizations to implement effective physical access controls that satisfy NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 expectations.
1) Scope, Inventory, and Risk-Based Zoning
Begin by scoping: identify all spaces where CUI exists (offices, server rooms, employee laptops when on-premise, network closets, printers, removable media storage). Create an asset inventory that maps CUI to physical locations and devices (e.g., Server A in Rack 2, Conference Room B printer holding CUI). Perform a simple risk assessment to create zones (Public, Staff-only, CUI), then enforce the strictest controls on the CUI zone. For small businesses a one-room office can be split logically: general workspace (staff-only) and a locked CUI cabinet/room for systems and backups.
2) Physical Access Controls — Design and Technology
Choose controls appropriate to the zone: mechanical locks for low-risk storage, electronic access control for CUI rooms. Recommended stack: audited badge access with a PACS (Physical Access Control System), PoE door controllers, encrypted card readers using OSDP or modern smart-card readers (HID iCLASS, FIPS-compliant credentials), and enterprise directory integration (RADIUS/LDAP/Active Directory) so user identities map to badges and are deprovisioned automatically. For server racks, use keyed or electronic rack locks with tamper-evident seals and unique asset tags. Consider two-person or dual-authentication for high-impact actions (e.g., entering the server room after hours or accessing backup media).
Technical configuration details
Put PACS on a dedicated management VLAN and firewall rule set restricting management ports. Ensure controllers and readers use TLS or secure OSDP where available; avoid unsecured Wiegand. Configure authentication to use unique user IDs (no shared keys), enforce time-based access where needed (business hours vs. after-hours), and enable event forwarding to a central SIEM or log server. Set event log retention to meet your policy (commonly 1 year for access logs related to CUI), and synchronize all devices via NTP to ensure accurate timestamps for audit trails.
3) Monitoring, CCTV, and Environmental Controls
Integrate CCTV cameras to cover entry points, server racks, and CUI storage areas. Practical small-business setup: 1080p cameras with motion detection, PoE NVR with RAID1 or RAID5 storage, 90–180 day retention depending on risk and storage budget. Configure cameras to record on motion with pre- and post-buffering (5–15 seconds) and ensure video integrity by storing hashes or using signed recordings. Add environmental sensors (temperature, humidity, water/leak) in server rooms and ensure alarms notify administrators via SMS/email and create incident tickets automatically.
4) Operational Controls — Visitor Management, Policies, and Training
Implement procedural controls: visitor sign-in with ID verification, escorts for non-cleared personnel, and clear desk/nightly lock procedures. Write short, enforceable policies: CUI control policy, visitor/escort policy, equipment removal policy, and separation of duties. Conduct an initial training session explaining the policies and run quarterly refreshers; include examples (e.g., "Do not prop CUI room doors open," "Lock laptops when unattended"). Keep a log of issued badges, revoke access immediately on termination, and perform quarterly access reviews to remove stale accounts.
5) Small-Business Scenarios and Practical Examples
Scenario A — 25-employee defense subcontractor in a leased office: negotiate lease language to allow electronic door locks and CCTV; if landlord disallows, isolate CUI on a locked rack or cabinet, use cable locks for laptops, and store backups in encrypted, locked media. Scenario B — coworking space: avoid storing CUI in open areas—use encrypted USBs in a lockbox and require employees to use privacy screens and cable locks; consider remote work policies limiting CUI access to company-managed VPN endpoints rather than on-site devices. Scenario C — remote server hosting: if you use colo or cloud, ensure the provider supplies physical access logs, restricted access controls, and chain-of-custody procedures for storage media; require an SLA clause that supports audits.
6) Testing, Audits, and Evidence Collection
Test your controls: run a physical access test (attempt to enter CUI zones during and outside business hours), validate logs, and simulate badge revocation. Maintain evidence: access control configuration screenshots, badge issuance records, visitor logs, CCTV exports, quarterly access reviews, training attendance records, and maintenance records for locks and cameras. For assessments, package evidence logically (policy → implementation → logs → test results) so an assessor can trace requirement to proof. Create a Plan of Actions & Milestones (POA&M) for gaps with realistic remediation timelines.
7) Risks of Non-Implementation and Compliance Tips
Failing to implement PE.L2-3.10.1 increases risk of unauthorized access to CUI, data exfiltration, lost contracts, and regulatory penalties. Even a single stolen laptop or unaudited visit can lead to a reportable compromise. Compliance tips: scope narrowly to where CUI truly exists to reduce burden; automate deprovisioning with identity and access management; use encrypted storage for all CUI so a physical breach yields limited exposure; document compensating controls when physical changes are constrained (e.g., using encrypted containers and strict escort policies in a shared office).
In summary, implementing PE.L2-3.10.1 is a mix of good policy, appropriate technology, and repeatable operational practices: scope and zone your facilities, deploy audited electronic access where feasible, integrate PACS with enterprise identity services, monitor and retain logs, and enforce visitor and training policies. For small businesses, focus on pragmatic controls—locked cabinets, unique badges, CCTV, encrypted media, rapid deprovisioning, and clear evidence collection—to meet NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 requirements effectively and affordably.
