This post gives a practical, step-by-step checklist to implement physical access controls that limit physical access to systems in order to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 (PE.L1-B.1.VIII), with actionable guidance, small-business examples, technical details, compliance evidence to collect, and risks to avoid.
Step-by-step checklist
1) Scope and classify physical assets: Start by identifying and documenting all locations that house systems processing or storing federal contract information (FCI) or controlled information. Create a concise inventory that includes server rooms, network closets, employee workstations that handle FCI, external storage (safes, cabinets) and any colocated/leased spaces. Example (small business): for a 12-person consultancy, scope might be the main office server closet, five desktops used for contract work, and a laptop charging cabinet—each item should have an owner, serial number, and physical location recorded.
2) Perform a physical risk assessment and set protection goals: For each scoped asset, evaluate threats (unauthorized employees, visitors, cleaners, contractors, tailgating, theft), vulnerabilities (unlocked doors, unsecured server racks, exposed ports), and impact (loss of FCI, contract penalties). Assign protection levels (e.g., high for server rack, medium for laptops). The output should inform required controls (locks, badge readers, CCTV) and minimum evidence retention (logs, video retention period).
3) Implement layered physical controls: Apply defense-in-depth—primary door access control (electronic badge reader or keypad), secondary server-room locks (mechanical deadbolt + electronic override or smart lock), and equipment-level controls (rack-mounted locks, cable locks for laptops). Technical detail: use PoE-enabled door controllers that support RADIUS/LDAP integration to centralize access lists and timestamped events; configure time-based access windows and fail-secure vs fail-safe modes per location. Small-business example: replace a keyed office closet with an electronic keypad or low-cost RFID reader tied to a cloud access control service that provides audit logs.
4) Establish visitor and contractor procedures: Require sign-in, ID verification, and an escort policy for visitors in sensitive areas. Maintain a physical visitor log or an electronic sign-in system that records name, company, purpose, badge issued, escort name, entry/exit time, and items removed. Terminate temporary access automatically at end-of-visit. For contract staff, require background checks when appropriate, and add them to the access control system with expiration dates so access is automatically revoked.
5) Harden endpoints and local devices: Use HDD/SSD full-disk encryption (e.g., BitLocker with TPM, FileVault) for laptops and desktops that handle FCI; enable BIOS/UEFI passwords, disable boot from USB/CD in firmware, and implement port controls (USB port disable or use of endpoint security tooling). For sensitive fixed systems, use rack locks, locked enclosures, or secure cabinets. Small-business example: a firm can deploy BitLocker with cloud key escrow (Azure AD or a local key escrow server) and use physical Kensington locks on desktops in shared spaces.
6) Monitoring, logging, and evidence collection: Deploy video surveillance for entrances and server rooms with tamper detection and store footage on an NVR or cloud service on a segmented security VLAN. Configure door controllers, visitor logs, and camera NVRs to forward logs to a central syslog server or managed SIEM; if you don't have a SIEM, export CSV audit logs monthly and archive them. Retention: define policy (common practical retention: 30–90 days for video, 90–365 days for access logs depending on contract obligations) and retain signed artifacts like badge assignments, revocation records, and visitor logs as part of compliance evidence.
Compliance tips and best practices
7) Policy, process, and deprovisioning: Create a short written policy that defines who may enter sensitive areas, how keys/cards are issued and returned, the process for employee termination or role change, and a schedule for access reviews (quarterly recommended for small businesses). Evidence items auditors expect: access review records, a written visitor policy, badge issuance logs, and change tickets proving access removal. Best practice: integrate physical access deprovision into HR offboarding workflows so card deactivation is part of the termination checklist.
8) Testing, maintenance, and continuous improvement: Conduct periodic physical inspections, tamper checks, and a simple tabletop or live drill (e.g., escorting a new visitor, simulated lost badge). Schedule firmware/patching for electronic locks and cameras; secure management interfaces by placing them on a management VLAN, restricting admin access via VPN and MFA where possible. Consider an annual physical penetration test or red-team exercise—an inexpensive option: engage local security students/consultants with a clear rules-of-engagement to test tailgating and visitor control.
Key objectives
9) The primary compliance objectives are: (a) prevent unauthorized physical access to systems processing FCI; (b) ensure mechanisms exist to detect and document physical access attempts and actual access; and (c) maintain evidence that the controls were implemented and operated (policies, logs, photos, inventories). For CMMC 2.0 Level 1 this is a practice-level requirement—evidence can be operational artifacts and records rather than formal certification paperwork, but it must demonstrably show the practice is implemented.
Implementation notes
10) Practical deployment notes and small-business scenario: Start with low-cost, high-impact controls—replace shared keys with an electronic access control that provides audit trails, lock down server racks/cabinets, implement laptop encryption, and maintain a visitor log. For a 10–20 person company this is often accomplished in a few weeks: week 1 scope and policy, week 2 procure and install door access and cabinet locks, week 3 configure logging and retention, week 4 training and a tabletop audit. Artifacts to keep: inventory spreadsheet, access control export (CSV) showing card IDs and timestamps, visitor log samples, written policies, offboarding tickets showing access removal, and training attendance records.
Failure to implement these physical controls increases the risk of unauthorized disclosure, theft of devices containing FCI, contract noncompliance, loss of trust, and potential contract termination or penalties. Taking a pragmatic, documented approach—focusing on scoping, layered controls, logging, and routine reviews—lets small businesses cost-effectively meet FAR 52.204-21 and CMMC Level 1 PE.L1-B.1.VIII while producing the evidence auditors will expect.
