PE.L1-3.10.2: Protect and monitor the physical facility and support infrastructure for organizational systems

📖 What This Means

This practice requires organizations to implement basic physical security measures to protect facilities and infrastructure where Controlled Unclassified Information (CUI) is stored, processed, or transmitted. It involves monitoring access to physical spaces, ensuring unauthorized individuals cannot enter, and maintaining oversight of support systems like power and HVAC. For example, a small defense contractor might use locked doors with keycard access to secure server rooms and install security cameras to monitor entry points. Another example is maintaining visitor logs to track who enters and exits sensitive areas. The goal is to prevent unauthorized physical access that could compromise CUI.

🎯 Why It Matters

Physical security breaches can lead to theft, tampering, or destruction of sensitive information and systems. For instance, in 2018, a breach at a defense contractor involved an unauthorized individual accessing a server room and stealing equipment containing classified data. Such incidents can result in significant financial losses, reputational damage, and non-compliance penalties. The Department of Defense (DoD) emphasizes physical security in CMMC to ensure CUI is protected from physical threats. This control mitigates risks like unauthorized access, insider threats, and environmental hazards, ensuring the integrity and confidentiality of CUI.

✅ How to Implement

Ensure cloud provider facilities meet CMMC physical security standards (e.g., SOC 2, ISO 27001).
Request and review physical security audit reports from your cloud provider.
Implement Multi-Factor Authentication (MFA) for access to cloud management consoles.
Monitor cloud infrastructure access logs for unusual activity.
Establish incident response procedures for physical security breaches affecting cloud services.

⏱️

Estimated Effort

Implementation typically takes 2-4 weeks for small/medium businesses, requiring basic IT and physical security skills.

📋 Evidence Examples

Access control logs

Format: CSV/PDF

Frequency: Monthly

Contents: Timestamp, user ID, access point

Collection: Export from access control system

Visitor logs

Format: Excel/PDF

Frequency: Weekly

Contents: Visitor name, purpose, escort, entry/exit times

Collection: Maintain in visitor management system

Surveillance footage

Format: Video files

Frequency: Retain for 90 days

Contents: Recorded footage of monitored areas

Collection: Save from surveillance system

Physical security policy

Format: PDF

Frequency: Annual review

Contents: Access control, visitor management, and monitoring procedures

Collection: Document in security policy

Training records

Format: Excel/PDF

Frequency: Annual

Contents: Employee names, training dates, topics

Collection: Maintain in HR system

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For PE.L1-3.10.2 ("Protect and monitor the physical facility and support infrastructure for organizational systems"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe the physical security controls protecting CUI systems, including badge access, visitor management, physical access logging, and alternate work site requirements. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"PE.L1-3.10.2 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to protect and monitor the physical facility and support infrastructure for organiz.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"PE.L1-3.10.2 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to protect and monitor the physical facility and support infrastructure for organiz.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"PE.L1-3.10.2 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all physical locations where CUI is processed or stored
• Document physical access control mechanisms (badge readers, locks, cameras)
• Specify CUI area boundaries within each facility
• Ensure this control covers all systems within your defined CUI boundary where protect and monitor the physical facility and support infrastructure for organizational systems applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Physical Protection Policy
📄 Badge access logs
📄 Visitor logs
📄 Alternate work site approval forms
📄 Evidence artifacts specific to PE.L1-3.10.2
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will physically inspect CUI areas, test badge access controls, review visitor logs, and verify that terminated employees' badges are deactivated promptly.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have access control systems installed on all entry points to sensitive areas?

✅ YES → Proceed to Q2

❌ NO → GAP: Install access control systems (e.g., keycard readers) within 2 weeks.

Question 2: Are visitor logs maintained and reviewed regularly?

✅ YES → Proceed to Q3

❌ NO → GAP: Implement a visitor management system and train staff within 1 week.

Question 3: Is surveillance footage retained for at least 90 days?

✅ YES → Proceed to Q4

❌ NO → GAP: Configure surveillance system to retain footage for 90 days immediately.

Question 4: Are physical security policies documented and communicated to staff?

✅ YES → Proceed to Q5

❌ NO → GAP: Draft and distribute physical security policies within 1 week.

Question 5: Have staff received training on physical security procedures?

✅ YES → Compliant

❌ NO → GAP: Schedule and complete training sessions within 2 weeks.

⚠️ Common Mistakes (What Auditors Flag)

1. Missing or incomplete visitor logs.

Why this happens: Lack of a formal visitor management process.

How to avoid: Implement a visitor management system and train staff on its use.

2. Surveillance footage not retained for required duration.

Why this happens: Incorrect system configuration or storage limitations.

How to avoid: Configure systems to retain footage for at least 90 days and verify storage capacity.

3. Access control systems not installed on all entry points.

Why this happens: Budget constraints or oversight.

How to avoid: Conduct a facility audit to identify all entry points and prioritize installation.

4. Lack of documented physical security policies.

Why this happens: Policy development not prioritized.

How to avoid: Draft and review physical security policies with stakeholders.

5. Untrained staff on physical security procedures.

Why this happens: Training not scheduled or completed.

How to avoid: Include physical security training in onboarding and annual training programs.

📚 Parent Policy

This practice is governed by the Physical Protection Policy

View PE Policy →

📚 Related Controls

PE.L1-3.10.1 PE.L1-3.10.3 PE.L1-3.10.4