This post provides a practical, implementable evidence checklist and step‑by‑step preparation guidance to satisfy the physical access-related requirement mapped between FAR 52.204-21 and CMMC 2.0 Level 1 control PE.L1-B.1.VIII within the Compliance Framework, with a focus on small business scenarios.
What this control means in practice
At a high level this requirement addresses basic physical protections for systems and areas that process or store Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). For Compliance Framework purposes, auditors will expect demonstrable evidence that your organization limits physical access, documents policy and procedures, logs and reviews access events, protects portable media and endpoint devices, and trains personnel on basic physical security hygiene.
Core evidence checklist (what to collect)
Collect and label the following artifacts so they are audit-ready. Use an evidence index spreadsheet that links artifact names, descriptions, owners, creation dates, retention period and access controls.
Policies & procedures
Evidence items: Physical Access Policy (PDF), Visitor Control Procedure, Portable Device Handling Procedure. Each should include scope, responsible roles, review frequency, and version control (e.g., Compliance/PE_Physical_Access_Policy_v1.2.pdf). Auditors look for signed approval and a last-review date within your policy cadence (usually 12 months).
Access control system data and visitor logs
Evidence items: Exported access control database (CSV or PDF) showing badge IDs, user name, access levels, and timestamps for the audit period; door controller configuration screenshots; visitor sign‑in logs; temporary badge issuance records. Technical notes: export in CSV with UTC timestamps, include a SHA256 digest of the export file for integrity, and preserve original file metadata (creation timestamp). If you use manual paper logs, provide scanned copies with a clear chain of custody and retention annotation.
Video and monitoring artifacts
Evidence items: CCTV configuration screenshots (model, retention settings), representative video clips exported in original format with exported time range and chain-of-custody notes, retention policy excerpt. Small businesses in coworking spaces should collect written agreements with facility management that demonstrate camera coverage/retention and access restrictions for your leased area.
Endpoint and portable media protections
Evidence items: Inventory of devices that store FCI/CUI (spreadsheet), laptop encryption status reports (BitLocker/FileVault management console screenshots), removable media usage logs and policy acknowledgements. For laptops, provide MDM or EDR console screenshots showing encryption compliance and device last‑seen timestamps.
Time sync, logging and audit trail integrity
Evidence items: NTP configuration for door controllers and servers (showing ntpq -p or equivalent), centralized syslog/SIEM export showing access-related events, log retention and backup schedule. Technical tip: auditors expect consistent timestamps — capture an NTP sync config and show a sample event where syslog and access control log timestamps align to prove forensic viability.
Implementation tips specific to Compliance Framework
1) Create a single "PE.L1 Evidence Pack" directory structure in your document repository (e.g., /evidence/PE_L1_B1_VIII/) and place files with standardized filenames and a README that maps each file to the checklist item. 2) Use hashes (SHA256) for exported logs and record the hash in your index; preserve original exports. 3) Run a quarterly internal evidence review where the owner validates files and updates review dates. 4) For small businesses without dedicated badge systems, implement locked cabinets/rooms with documented key control logs and visitor escort procedures; capture photos and dated receipts for key duplicates and change logs.
Real-world small business scenarios
Scenario A — Home-office prime contractor: The business stores FCI on an encrypted laptop kept in a locked safe. Evidence: photo of safe with serial number, laptop BitLocker report, written policy requiring overnight safe storage, training acknowledgement by employee. Scenario B — Small subcontractor in a shared office: The subcontractor maintains a lockable cabinet for CUI, has a signed facility agreement with landlord stating restricted after-hours access, and keeps an access spreadsheet for employees with assigned cabinet keys. Scenario C — Co-working with public entry: Use a combination of documented visitor escort policy, a sign‑in tablet capturing name/time, and screenshots of MDM showing remote-wipe capability to demonstrate controls for portable devices.
Risks of not implementing or presenting evidence
Failure to implement these physical controls or produce clear evidence can lead to multiple consequences: contract disallowance, suspension, or termination; audit findings that require costly remediation; reputational damage; and increased risk of data exposure leading to regulatory fines. From a security standpoint, inadequate physical controls make unauthorized access, device theft, and data exfiltration far more likely, which in turn jeopardizes your ability to win or retain government contracts.
Compliance tips and best practices
Keep evidence concise and directly tied to the control language in your mapping document. Use automation where possible (automated exports, daily backups, MDM/EDR reports). Maintain a one‑page "evidence map" that an auditor can follow in 5–10 minutes showing where each control artifact lives. Perform a mock audit at least 30 days before the real review to surface gaps and ensure all timestamps, hashes and chain-of-custody notes are present. Finally, train staff on physical security expectations and retain signed acknowledgements as part of your personnel evidence.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 PE.L1-B.1.VIII requires documented policies, demonstrable physical access controls, consistent logging with timestamp integrity, device and media protections, and a clean, indexed evidence set ready for auditors. For small businesses, pragmatic compensating controls (locked storage, written facility agreements, MDM screenshots) combined with careful evidence packaging will substantially reduce audit friction and security risk.
