Skip to main content
NetStable
🏢 6 Practices NIST 3.10.1 - 3.10.6

Physical Protection Policy

Physical Protection Domain (PE)

Overview Why It Matters Requirements Roles Implementation CMMC Mapping Evidence Common Gaps Template Guide

📖 What This Policy Covers

Physical Protection is about securing the physical spaces where CUI lives. This policy covers badge access systems and physical access authorization, physical access controls (badge readers, PIN pads, locks), visitor escort requirements and visitor logs, physical access audit logs, badge and lock management, and alternate work site (home office) security requirements.

Purpose

This policy ensures physical access to CUI systems and areas is authorized and controlled, visitors are escorted and monitored in CUI areas, physical access events are logged and reviewed, physical access devices (badges, locks) are managed, and alternate work sites meet security requirements.

Scope

Applies to all physical facilities, server rooms, data centers, offices, and alternate work sites where CUI is processed, stored, or accessed. Covers all employees, contractors, visitors, and maintenance personnel.

🎯 Why It Matters

Physical access bypasses all digital security controls. An unauthorized person in your server room can steal drives, install malware via USB, or access unlocked workstations. Physical controls are also among the easiest for assessors to verify -- they can physically test badge readers, check visitor logs, and observe CUI areas during site visits. This is one of the most visible domains during a C3PAO assessment.

🔐 Key Requirements

1. Physical Access Authorization

PE.L1-3.10.1

Formal authorization before granting physical access to CUI areas.

  • Manager + CISO approval for CUI areas, Facilities Manager for general office
  • Photo ID badges issued to authorized personnel
  • Visitor badges: temporary, expire after 24 hours
  • Access revocation: badge deactivated within 1 hour of termination

2. Physical Access Controls

PE.L1-3.10.1 PE.L2-3.10.2

Technical and physical controls limiting access to CUI areas.

  • Server rooms/data centers: badge reader + PIN (2-factor)
  • Offices with CUI: locked during non-business hours, badge access during business hours
  • Backup media: locked cabinets inside locked rooms
  • Cameras at entry points (optional but recommended)

3. Visitor Management

PE.L2-3.10.3

Escort and monitoring requirements for visitors in CUI areas.

  • All visitors escorted in CUI areas at all times
  • Visitor log: name, company, purpose, host, time in/out, signature
  • Visitor badges clearly marked 'VISITOR', returned on exit
  • Escort must remain with visitor and report suspicious activity

4. Physical Access Logs

PE.L2-3.10.4

Logging and review of physical access events.

  • Badge access logs auto-recorded (name, location, timestamp)
  • Visitor logs in physical logbook or digital system
  • 1-year retention for both badge and visitor logs
  • IT Security reviews quarterly for anomalies (after-hours access, unusual patterns)

5. Physical Access Device Management

PE.L2-3.10.5

Inventory, maintenance, and incident handling for physical access devices.

  • Badge system inventory: all readers, panels, locks
  • Quarterly testing of badge readers, annual firmware updates
  • Lost badges: reported immediately, deactivated within 1 hour, replacement issued
  • Alert on >3 failed badge swipes at same location

6. Alternate Work Sites

PE.L2-3.10.6

Security requirements for home offices and remote work locations accessing CUI.

  • Dedicated workspace not shared with family
  • Encrypted laptop (BitLocker/FileVault)
  • VPN required for CUI access
  • Physical security: locked door/drawer for CUI materials
  • Clean desk policy: no CUI visible when away from desk
  • Manager + IT Security approval required
  • Annual self-certification form

👥 Roles & Responsibilities

CISO / Facilities Manager

  • Approve physical access authorizations for CUI areas
  • Oversee badge system and visitor management
  • Review physical access logs quarterly

IT Department

  • Maintain badge system hardware and software
  • Integrate badge system with HR for auto-deactivation
  • Manage physical access to server rooms and data centers

Reception / Front Desk

  • Check visitor identification
  • Issue and collect visitor badges
  • Maintain visitor log
  • Notify hosts of visitor arrival

All Employees

  • Wear badge visibly at all times
  • Never tailgate or hold doors for unknown persons
  • Escort assigned visitors
  • Report lost badges immediately
  • Follow clean desk policy

🛠️ Implementation Roadmap (6 Weeks)

1

Badge System

Weeks 1-2
  • Install badge readers on CUI area doors (server room, secure offices)
  • Issue badges to all authorized employees
  • Configure badge system for logging and alerting
2

Visitor Management

Weeks 3-4
  • Implement visitor log system (physical logbook or digital)
  • Create visitor badges with 'VISITOR' marking
  • Train reception staff on check-in/escort procedures
3

Monitoring & Review

Weeks 5-6
  • Configure badge system reporting
  • Create physical access review process (quarterly)
  • Deploy alternate work site approval forms and self-certification checklist

Recommended Tools

Honeywell / HID / Kisi (badge access systems)Envoy / SwipedOn (visitor management)CCTV cameras (optional enhancement)SharePoint / Google Forms (alternate work site approvals)

📊 CMMC Practice Mapping

Practice ID Requirement Policy Section
PE.L1-3.10.1 Limit physical access to systems/equipment 1, 2
PE.L1-3.10.2 Protect/monitor physical facility 2, 5
PE.L2-3.10.3 Escort visitors/monitor visitor activity 3
PE.L2-3.10.4 Maintain audit logs of physical access 4
PE.L2-3.10.5 Control/manage physical access devices 5
PE.L2-3.10.6 Enforce safeguarding for alternate work sites 6

📋 Evidence Requirements

These are the artifacts a C3PAO assessor will ask for. Start collecting early.

Badge Access Report

Format: CSV/PDF
Frequency: Quarterly
Contents: Sample 30 days showing entries to CUI areas with timestamps
Tip: Show both successful and denied entries. Highlight any after-hours access with justification.

Visitor Log

Format: PDF/scan
Frequency: Quarterly sample
Contents: Last 90 days of visitor entries with escort signatures
Tip: Ensure every visitor entry has: name, company, host, purpose, time in, time out, and escort signature.

Photos of Physical Controls

Format: PNG
Frequency: Annual
Contents: Badge readers, locked doors, CUI AREA signage, locked cabinets
Tip: Assessors may request these before the on-site visit. Take clear photos showing the control is in place and functioning.

Badge Inventory

Format: Excel
Frequency: Quarterly
Contents: Active badges, deactivated badges with deactivation dates
Tip: Cross-reference with HR termination list to verify badges are deactivated promptly.

Alternate Work Site Approvals

Format: PDF
Frequency: Annual renewal
Contents: Completed home office security checklists with manager and IT approval
Tip: Include the self-certification form showing the employee confirmed dedicated workspace, encryption, and physical security.

⚠️ Common Gaps (What Assessors Flag)

1. No badge access system on CUI areas

Why this happens: Office uses simple key locks or no locks on rooms with CUI systems.
How to close the gap: Install electronic badge readers on server room and CUI area doors. Even a standalone keypad lock is better than no control.

2. No visitor escort in CUI areas

Why this happens: Visitors wander freely after check-in. No escort policy enforced.
How to close the gap: Post signage requiring escort. Train reception to assign escorts. Include escort requirement in visitor badge instructions.

3. Badge not deactivated on termination

Why this happens: Badge system not integrated with HR. IT disables computer accounts but forgets physical access.
How to close the gap: Add badge deactivation to termination checklist. Integrate badge system with HR notifications. Test quarterly by checking terminated employees against active badge list.

4. No alternate work site security requirements

Why this happens: Remote work policy doesn't address CUI-specific requirements.
How to close the gap: Create a home office security checklist and approval form. Require annual self-certification. Verify VPN and encryption requirements.

📝 Template Customization Guide

When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:

[COMPANY NAME]

Your organization's legal name

Example: Acme Defense Systems, LLC

[CISO Name]

Name of your CISO or Facilities Manager

Example: Jane Smith

Customization Tips

  • 💡 Document your specific badge system vendor and model
  • 💡 Include floor plans showing CUI areas and badge reader locations
  • 💡 If you're a fully remote organization, document that there are no physical CUI areas and focus on alternate work site requirements
  • 💡 Add camera locations and retention periods if you use CCTV

📚 Related Policies

Access Control Policy Media Protection Policy Personnel Security Policy Maintenance Policy
Previous
MP Policy
All Policies
Next
PS Policy