PE.L1-3.10.1: Limit physical access to organizational systems, equipment, and the respective operating environments

📖 What This Means

This practice requires organizations to control who can physically access their systems, equipment, and environments where Controlled Unclassified Information (CUI) is stored or processed. It means implementing measures like locked doors, keycard access, visitor logs, and secure areas to ensure only authorized personnel can enter. For example, a small defense contractor might use a badge system to restrict access to their server room and require visitors to sign in and be escorted. This helps prevent unauthorized individuals from tampering with sensitive equipment or stealing data.

🎯 Why It Matters

Physical access control is critical because attackers can bypass digital security measures if they gain physical access to systems or equipment. For instance, in 2018, a breach at a defense contractor occurred when an unauthorized individual accessed a server room and installed malware, leading to significant data loss. Without proper controls, organizations risk theft, tampering, or unauthorized data exfiltration, which can result in financial losses, reputational damage, and non-compliance with DoD contracts. The DoD emphasizes this control to ensure CUI remains protected from physical threats.

✅ How to Implement

1. Ensure cloud provider facilities hosting your data are FedRAMP or CMMC compliant.
2. Verify physical security measures (e.g., biometric access, surveillance) at the provider's data centers.
3. Restrict access to cloud management consoles using multi-factor authentication (MFA).
4. Regularly review and update access permissions for cloud resources.
5. Use encryption for data stored in cloud environments to protect against physical theft.

⏱️

Estimated Effort

2-3 days for small organizations (basic setup). Ongoing maintenance requires 1-2 hours per month.

📋 Evidence Examples

Physical Access Policy

Format: PDF

Frequency: Annual

Contents: Documented procedures for limiting physical access

Collection: Review and update annually

Access Control Logs

Format: CSV

Frequency: Monthly

Contents: Entries showing who accessed restricted areas

Collection: Export from access control system

Visitor Log

Format: Spreadsheet

Frequency: Ongoing

Contents: Visitor names, dates, and escort details

Collection: Maintain manually or digitally

Surveillance Footage

Format: Video

Frequency: Retain for 30 days

Contents: Recordings of restricted areas

Collection: Store securely

Access Control Configuration Screenshots

Format: PNG

Frequency: As needed

Contents: Settings for keycard/biometric systems

Collection: Capture from system interface

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For PE.L1-3.10.1 ("Limit physical access to organizational systems, equipment, and the respective operating environments"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe the physical security controls protecting CUI systems, including badge access, visitor management, physical access logging, and alternate work site requirements. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"PE.L1-3.10.1 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to limit physical access to organizational systems, equipment, and the respective o.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"PE.L1-3.10.1 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to limit physical access to organizational systems, equipment, and the respective o.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"PE.L1-3.10.1 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all physical locations where CUI is processed or stored
• Document physical access control mechanisms (badge readers, locks, cameras)
• Specify CUI area boundaries within each facility
• Ensure this control covers all systems within your defined CUI boundary where limit physical access to organizational systems, equipment, and the respective operating environments applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Physical Protection Policy
📄 Badge access logs
📄 Visitor logs
📄 Alternate work site approval forms
📄 Evidence artifacts specific to PE.L1-3.10.1
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will physically inspect CUI areas, test badge access controls, review visitor logs, and verify that terminated employees' badges are deactivated promptly.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented physical access policy?

✅ YES → Proceed to Q2

❌ NO → GAP: Draft a policy using templates like NIST SP 800-53. Timeline: 1 week

Remediation:

Draft a policy using templates like NIST SP 800-53. Timeline: 1 week

Question 2: Are restricted areas secured with keycard or biometric access?

✅ YES → Proceed to Q3

❌ NO → GAP: Install an access control system. Timeline: 2 weeks

Remediation:

Install an access control system. Timeline: 2 weeks

Question 3: Do you maintain a visitor log?

✅ YES → Proceed to Q4

❌ NO → GAP: Implement a visitor management system. Timeline: 1 week

Remediation:

Implement a visitor management system. Timeline: 1 week

Question 4: Are visitors escorted in restricted areas?

✅ YES → Proceed to Q5

❌ NO → GAP: Update visitor policy to require escorts. Timeline: 1 week

Remediation:

Update visitor policy to require escorts. Timeline: 1 week

Question 5: Do you regularly review access logs?

✅ YES → Compliant

❌ NO → GAP: Set up monthly log reviews. Timeline: Ongoing

Remediation:

Set up monthly log reviews. Timeline: Ongoing

⚠️ Common Mistakes (What Auditors Flag)

1. Missing visitor logs

Why this happens: Overlooking the need to track visitors

How to avoid: Use a visitor management system and train staff.

2. Inconsistent access controls

Why this happens: Different areas have varying security levels

How to avoid: Standardize access controls across all sensitive areas.

3. Failure to audit logs

Why this happens: Lack of resources or awareness

How to avoid: Schedule regular log reviews and assign responsibility.

4. No escort policy

Why this happens: Assuming visitors are trustworthy

How to avoid: Require escorts for all visitors in restricted areas.

5. Outdated access permissions

Why this happens: Failure to update after employee turnover

How to avoid: Regularly review and update access permissions.

📚 Parent Policy

This practice is governed by the Physical Protection Policy

View PE Policy →

📚 Related Controls

PE.L1-3.10.2 PE.L1-3.10.3 PE.L1-3.10.4