In Nugget #13, we looked at how shared responsibility works when MSPs and CSPs sit inside your environment. This nugget shifts focus to the physical space that houses everything discussed so far. No amount of access control, encryption, or network monitoring matters if someone can walk into your server room unchallenged.

CMMC Level 2 physical security requirements come from the Physical Protection (PE) family of NIST SP 800-171 Rev 2, which contains six controls total. Four of these (3.10.1, 3.10.3, 3.10.4, and 3.10.5) also correspond to the 15 basic safeguarding practices assessed separately for organizations handling only Federal Contract Information at Level 1. In the CMMC Assessment Guide – Level 2, however, all six controls in this family carry the PE.L2 designation, since that guide governs your assessment. That’s the labeling used throughout this nugget: PE.L2-3.10.1, PE.L2-3.10.2, PE.L2-3.10.3, PE.L2-3.10.4, PE.L2-3.10.5, and PE.L2-3.10.6. None of this reduces your scope. All six controls are in play.

Assessors don’t evaluate these controls against the one-line summary you’ll find in most compliance checklists. NIST SP 800-171A breaks each requirement into discrete assessment objectives, lettered sub-parts that get evaluated through examining artifacts (logs, policies, diagrams), interviewing personnel, and testing mechanisms (attempting to gain unauthorized access, verifying a badge actually deactivates). A “satisfied” finding means every objective under a control is met, not just the general intent. That distinction matters more in this domain than almost anywhere else in the framework, because physical security is easy to describe in a policy and easy to get wrong in practice.

Level 1 PE Controls
(Facility Protection and Remote Work Site Controls)

PE.L2-3.10.1: Limit physical access to organizational systems, equipment, and operating environments to authorized individuals

Only authorized personnel should be able to physically reach systems, equipment, and the spaces that house them. Assessment objectives here require you to have defined which spaces are non-public, maintain a current authorized-individual list for those spaces, and enforce entry through mechanisms like keycards, biometrics, or electronic access control systems, not just an honor system reinforced by a locked front door.

PE.L2-3.10.3: Escort visitors and monitor visitor activity

Visitors must never be left unattended in areas where organizational systems reside. They should be escorted by an authorized individual for the duration of their visit, and their movement should be monitored, whether through direct escort, camera coverage, or both.

PE.L2-3.10.4: Maintain audit logs of physical access

Organizations must log who entered or exited controlled areas, when, and whether that access was authorized. These logs, whether generated by a badge system, a sign-in sheet, or camera footage, must be retained for a defined period.

Assessor Reality Check: Assessors will ask to see actual visitor and access logs, not just confirm that a logging process exists on paper. This control and 3.10.3 are commonly assessed together, and a visitor log that was never retained is treated the same as no log at all. Define a retention period in policy and be able to produce logs from it on request.

PE.L2-3.10.5: Control and manage physical access devices

Keys, keycards, badges, and biometric enrollments must be tracked from issuance to deactivation.

Assessor Reality Check: The piece that trips up most OSCs is timing. When someone is terminated or changes roles, their physical access credentials need to be revoked the same day, not at the next scheduled access review. This mirrors the personnel offboarding urgency covered in Nugget #6 under PS.L2-3.9.2. Assessors will cross-reference your HR termination dates against your access deactivation logs, and a lag between the two is a direct finding.

Level 2 PE Controls (Enhanced Protection for CUI Environments)

PE.L2-3.10.2: Protect and monitor the physical facility and support infrastructure for organizational systems

This is the broadest control in the family. It extends beyond access management into protecting the physical environment itself: fire suppression, backup power, environmental monitoring, and the infrastructure (cabling, wiring closets, distribution lines) supporting your systems.

If your organization operates out of leased commercial office space, environmental protections like fire suppression, HVAC redundancy, and backup power are typically building-level features controlled by your landlord, not systems you independently install. Document the building’s existing environmental protections in your SSP rather than assuming you need to build parallel systems. Assessors distinguish between a standalone data center and a tenant in a shared facility, but only if your documentation reflects that context.

Assessor Reality Check: For monitoring specifically, scale the solution to your organization’s size. A full 24/7 Security Operations Center with dedicated analysts is an enterprise-level investment most small and mid-sized DIB contractors don’t need and can’t justify. A recorded video surveillance system, an alarm service with off-hours monitoring, and a documented response procedure for physical security events will likely satisfy this control for the vast majority of OSCs.

PE.L2-3.10.6: Enforce safeguarding measures for CUI at alternate work sites

With telework common across the DIB, this is one of the most practically relevant and most frequently overlooked PE controls. If employees access or store CUI while working from home or another alternate location, your organization must define and enforce physical safeguarding measures there too, such as locking screens when unattended, prohibiting CUI display where household members or others could view it, and secure storage for any printed materials. This does not need to mirror your office-level controls exactly, but it does need to be documented and enforced, not left to individual judgment.

Building a Layered Security Program

A useful way to think through implementation is in layers:

  • Outer layer: Perimeter security such as fencing, gates, or controlled building entry.
  • Intermediate layer: Physical access controls at the room or suite level, such as badge readers or keypad locks.
  • Inner layer: Monitoring and access logging for the most sensitive spaces, such as server rooms or network closets.

Periodically testing your physical security controls (confirming doors lock as expected, reviewing access logs for anomalies, attempting authorized tailgating tests) is valuable practice. Be clear in your documentation that this is physical security testing, distinct from the network penetration testing that comes up elsewhere in CMMC, so the two don’t get conflated during an assessment.

Don’t Forget Physical CUI

Physical security isn’t only about controlling access to rooms and equipment. It also covers how CUI is handled in physical form: printed documents, whiteboards, files left on desks. This intersects directly with the media protection requirements covered in Nugget #17 (MP.L2-3.8.1). An organization can have excellent badge access and camera coverage while still leaving printed CUI visible on a desk or in an unlocked filing cabinet, which is one of the more common findings during a physical walkthrough.

Common Failures Across This Control Set

PE.L1-3.10.1 Non-public spaces never formally defined; access list not kept current

PE.L1-3.10.3 Visitors signed in but left unescorted once inside

PE.L1-3.10.4 Logs generated but not retained for a defined period

PE.L1-3.10.5 Access devices deactivated late, after the next scheduled review instead of same-day

PE.L2-3.10.2 Environmental controls assumed out of scope in leased space, with no documentation either way

PE.L2-3.10.6 No documented safeguarding measures for telework or alternate work sites

SSP Mapping Note

All six controls in this nugget belong under the Physical Protection (PE) section of your SSP. A common documentation gap in this domain: organizations describe their physical security posture in narrative form but can’t produce the underlying evidence, current access lists, retained visitor logs, badge deactivation records tied to termination dates, when asked.

For each control your SSP should document:

  • The specific technical or procedural implementation
  • The policy governing it, including any defined retention periods or response timelines
  • Who is responsible for implementation and ongoing management
  • How compliance is verified and how often access lists and logs are reviewed

For assistance assessing your facility’s physical security posture or documenting alternate work site safeguards, contact DTC’s C3PAO team.

If your organization is working toward CMMC compliance or has questions about the process, we’re here to help. Schedule a free consultation now.