What does PE.L2-3.10.1 require for CMMC Level 2?

PE.L2-3.10.1 requires that you limit physical access to your systems and the spaces they're in to authorized people. The assessor wants to see that you control who can get into areas where CUI is processed, stored, or accessible, and that you can show how.

What evidence do I need for PE.L2-3.10.1?

You need evidence of physical access controls on any space containing CUI systems. That could be badge access logs, key logs, a visitor sign-in sheet, security camera footage, or a combination. You also need a list of who has authorized access and documentation of how access is granted and revoked.

What's the most common failure for PE.L2-3.10.1?

Having a locked server room but no records of who has a key, or no process for revoking access when someone leaves the company. Physical access that isn't tracked is physical access that isn't controlled.

PE.L2-3.10.1

PE.L2-3.10.1: Limit Physical Access

Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

Physical access is the practice that most small contractors overthink or underthink. Either they assume it requires a biometric scanner and a mantrap, or they assume the front door lock is enough and never think about it again. The reality is somewhere in between, and it’s mostly about demonstrating that you’ve thought through who can physically reach CUI systems and that you control it. The companion practice, PE.L2-3.10.2, covers monitoring what happens inside: cameras, alarms, and access logs.

What the assessor is actually evaluating

The NIST requirement says to limit physical access to systems, equipment, and operating environments to authorized individuals. For a small defense contractor, the assessor is looking at a few specific things.

Can unauthorized people walk up to systems that process CUI? This is the core question. If your CUI environment is a file server in a closet, is the closet locked? Who has the key? If it’s laptops on desks in an open office, how do you handle visitors? If it’s a cloud environment, do the endpoints that access CUI sit in a space that’s physically controlled?

The assessor isn’t expecting a SCIF. They’re expecting that you’ve identified where CUI-processing systems physically exist and that you’ve put reasonable controls around those spaces.

Do you track who has physical access? A locked door is only useful if you know who has the key. The assessor wants to see an authorization list. Who is allowed into the server room, the wiring closet, the office space where CUI is accessed? How does someone get added to that list? How do they get removed?

Badge access systems make this easy because they generate logs automatically. Key-based systems work too, but you need a key log: who has which key, when it was issued, when it was returned. If someone leaves the company, you should be able to show that their physical access was revoked.

How do you handle visitors? Visitors are people who don’t have authorized physical access but need to be in the space temporarily. The assessor will ask about your visitor process. Do visitors sign in? Are they escorted in areas where CUI systems are present? Do they wear visitor badges so employees know they’re not authorized personnel?

For most small contractors, this is straightforward: visitors sign in at reception, get a visitor badge, and are escorted through the office. Write it down, do it consistently, and keep the sign-in logs.

One thing worth noting: if the assessment is on-site, the assessors themselves are visitors. They should go through your visitor process when they arrive. Sign in, get a badge, the whole thing. If your team forgets to do this, you’ve just failed to demonstrate the very practice you’re about to discuss. It’s a small thing, but it sets the tone for the entire assessment.

What a realistic SSP definition looks like

Example SSP Language: PE.L2-3.10.1

[Organization Name] limits physical access to systems, equipment, and facilities that process, store, or transmit CUI to authorized individuals. Physical access controls are applied to [describe: e.g., "the office suite at [address], including the server room and all workspaces where CUI-processing endpoints are located"].

Access to the facility is controlled by [mechanism: badge reader, keyed entry, combination lock]. Access to the server room / network closet is further restricted to [roles: IT staff, MSSP on-site personnel] via [mechanism], with access tied to the individual's role and responsibilities. A physical access authorization list is maintained by [role] and reviewed at least [quarterly/annually]. Access is revoked within [timeframe] of personnel departure or role change.

Visitors to the facility are required to sign in at [location], receive a visitor badge, and are escorted at all times in areas where CUI systems are present. Visitor logs are retained for [period].

Physical access logs [badge reader logs / key issuance records / visitor sign-in sheets] are retained for [period] and reviewed at least [frequency] for anomalies or unauthorized access attempts.

A few things to notice:

It identifies the specific spaces. “The office suite at [address]” and “the server room” tell the assessor exactly what’s in scope for physical protection. Don’t be vague about this.

It addresses the server room separately. Even if the whole office is badge-access, the server room (or wiring closet, or wherever the network equipment lives) should have an additional layer of restriction. It doesn’t have to be fancy. A locked closet with a documented list of who has the key is fine. What matters is that access is limited to the roles that need it and that you track it.

It has a revocation process with a timeline. “Access is revoked within [timeframe] of personnel departure.” This is the part most organizations skip. They have a process for granting access but no documented process for taking it away.

It covers visitors explicitly. Escort requirement, badge, sign-in log. Simple and effective.

How to present your evidence

When the assessor gets to PE.L2-3.10.1, have these ready:

Your physical access authorization list. A list of who is authorized to access each controlled area. Server room, office space, anywhere CUI systems live. This should be a maintained document, not something you create the week before the assessment.

Access logs. Badge reader logs showing who entered when. Or a key log showing key issuance and returns. Or a combination lock change log. Whatever mechanism you use, show that it generates a record and that you keep it. The assessor will almost always ask to see a log, so have one ready to pull up.

Visitor logs. Sign-in sheets showing visitor name, date, time in, time out, who they’re visiting, and who escorted them. If you use an electronic visitor management system, show the log.

Photos or a walkthrough. If the assessment is on-site, the assessors will likely do a physical walkthrough. They’ll look for unlocked doors, server rooms propped open, that kind of thing. If it’s a virtual assessment, be prepared for a process walkthrough (talking through your physical access procedures), a policy analysis (the assessor reads your physical security policy and SSP), and potentially a virtual walkthrough where you walk them through the space on camera or provide photos. Have all three ready. A photo of the badge reader on the server room door, the sign-in sheet at reception, the lock on the network closet.

Evidence of revocation. Show that when someone left the company, their badge was deactivated or their key was collected. Even one example demonstrates the process works.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: "How do you control physical access to areas where CUI is processed?"

"Badge access on the office suite, separate keyed entry on the server room. [Pull up the authorization list] Here's who has access to each area. [Pull up badge logs] Here's the access log."

Assessor: "What happens when someone leaves the company?"

"Badge gets deactivated same day as their last day. Keys collected during the exit process. [Pull up an example of a deactivated badge record or key return log] Here's an example from the last departure."

Assessor: "How do you handle visitors?"

"Sign in at the front desk, visitor badge, escorted in all areas with CUI systems. [Pull up the visitor log] Here's the log."

Common failures

What gets flagged

No physical access authorization list. The door is locked, but there's no documented record of who's authorized to open it. The assessor asks who has server room access and gets a vague "IT guys and maybe the office manager." That's not a controlled process.

No revocation process. People get keys or badge access when they join. Nobody tracks whether access is removed when they leave. The assessor asks what happened to the last person who departed. If nobody can answer, that's a gap.

Server room or wiring closet left unlocked. During an on-site walkthrough, the assessor finds the server room door propped open or unlocked. It happens more often than you'd think. All the documentation in the world doesn't matter if the door is open.

No visitor process. Visitors walk freely through the office. No sign-in, no badges, no escort. Even if visitors rarely come to your office, the process needs to exist and be documented. The assessor will ask about it.

CUI-processing endpoints in uncontrolled spaces without compensating controls. Remote work and home offices are not typically a problem for PE as long as your other controls are solid: CUI can't be printed, can't be copied to USB drives, can only be accessed on a company-managed device with all company security controls in place. If those technical controls are there, the physical location of the endpoint matters less. What gets flagged is when none of those controls exist AND people are accessing CUI from uncontrolled locations.

What makes assessors move on satisfied

A clear identification of which spaces contain CUI systems. Physical access controls on those spaces with logs showing they work. An authorization list that's maintained and reviewed. A simple visitor process with a sign-in log. Evidence that access gets revoked when people leave. None of this requires expensive equipment. A keyed deadbolt, a key log spreadsheet, and a visitor clipboard at reception can satisfy this practice if they're used consistently and documented.

If you use an MSP/MSSP

Physical protection is one of the practices where the contractor owns almost everything. Your MSSP isn’t going to install locks on your doors. But there are a few places where the relationship matters.

Remote access to physical infrastructure. If your MSSP manages network equipment remotely (firewalls, switches, access points), the physical security of that equipment is still on you. The server room where the firewall sits needs to be locked and controlled. Your MSSP may help you document what’s in that room and why it matters, but physically securing it is your responsibility.

Cloud-heavy environments. If your CUI environment is mostly cloud-based and your MSSP manages the cloud tenant, physical protection shifts to the endpoints. The laptops and workstations that access CUI need to be in controlled spaces. Your MSSP might help with endpoint policies (screen lock timeouts, encryption), but the physical space is on you.

Badge system or access control integration. Some MSSPs help manage or monitor physical access control systems as part of their security program. If yours does, they should be able to show logs and explain the monitoring. If they don’t, this is entirely your operation and you need someone internal who can present the evidence.

The assessor typically spends less time on PE practices than on AC, AU, or IR, but they will ask about it and they will look for the basics. Having clean documentation and someone who can answer confidently keeps this one short and painless.

This page covers PE.L2-3.10.1 from NIST SP 800-171 Rev 2 (3.10.1). The guidance here is based on experience in real CMMC assessments and is intended to help you prepare. It is not legal or compliance advice. Your organization’s situation is unique, and you should work with qualified professionals for formal assessment preparation.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← PE.L2-3.10.2: Monitor Physical Facility All Practices IR.L2-3.6.2: Incident Reporting →