PE.L2-3.10.2

PE.L2-3.10.2: Monitor Physical Facility

Maintain surveillance and environmental controls over your physical facility.

You’ve got cameras somewhere. You’ve got an alarm. Maybe a thermostat in the server closet. The assessor wants to see that you’re actually watching your facility, not just locking the door and hoping. PE.L2-3.10.2 is about monitoring what happens inside, moment to moment.

This pairs directly with PE.L2-3.10.1 (controlling entry). That practice stops unauthorized people from getting in. This one catches what they do once they’re here, or confirms that your authorized staff are where they should be.

What the assessor is actually evaluating

The assessor is checking whether you can:

  • See entry and exit points in real time and after the fact. A video log of who came in when.
  • Show access logs. Who accessed what areas and when. This matters more than environmental sensors.
  • Respond to alarms. Not just set them. When motion is detected after hours, what happens next?
  • Retain footage long enough to investigate incidents and support your visitor logs from PE.L2-3.10.1.
  • Protect the monitoring system itself from tampering or deletion by unauthorized staff.

For fully remote or cloud-only contractors with no physical office and no on-premise servers, the assessor will typically accept “we don’t have a facility” as long as it’s documented in your policy that you don’t maintain a physical office, visitors aren’t a factor, and your CUI boundary is entirely cloud-based. You still need controls on endpoints (laptops, etc.) but those fall under other practices.

The assessor will ask to see the camera interface, pull up footage, confirm retention settings, and ask who reviews monitoring data and when.

Your monitoring baseline

Camera coverage does not need to be total. Cover entry points (front door, back door), the server room or closet, and visitor areas. 30 days of video is the standard minimum. Motion-activated recording is fine if retention covers at least 30 days. One important note: make sure your camera equipment isn’t from a manufacturer on the federal prohibited list (this changes periodically, so check current guidance). The assessor probably won’t inspect the brand, but if it comes up, you don’t want to be explaining why you’re using banned equipment in a defense contractor environment. If you’re working from home, you don’t need a home camera for CUI. Your facility is your office space or server closet only.

Access logs matter more than environmental sensors. The assessor cares about who accessed restricted areas and when. Server room access logs, badge swipe records, sign-in sheets for the server closet. Temperature and humidity monitoring is less of a focus in this context. If you have it, great, but the assessor is spending their time on access controls and who-went-where documentation.

Alarm coverage usually means the building alarm system. After-hours motion detection on entry points. The building’s security company monitors it. If you have a home office, a door sensor on your CUI closet or room is practical.

Visitor logs connect here. You logged who came in (3.10.1). You kept video to prove they left and didn’t wander into restricted areas.

SSP language that works

Example SSP Language: PE.L2-3.10.2

We maintain camera coverage of all entry points to the facility and the server room. Cameras record continuously and retain footage for at least 30 days. All visitor access is logged at entry and cross-referenced with camera footage. The server room maintains a temperature sensor that logs readings at least hourly. Environmental alerts are configured to notify facility management if temperature exceeds safe operating ranges. The facility is equipped with a fire suppression system and fire detection. Building after-hours alarm monitoring includes motion detection at entry points with notification to our security service. Only authorized personnel have access to camera footage and monitoring system controls. Camera systems are maintained and updated per manufacturer guidance.

How to present your evidence

Pull up the camera system in a web browser or app and show the assessor the live view and a recent recording. Walk back through footage from the last week. Show retention settings. If you keep footage in a separate system (NVR, cloud storage), show the settings there. Show that timestamps are accurate.

For environmental monitoring, pull up any logs or interface showing temperature readings. If it’s a simple thermometer, show the thermometer and explain your backup if it fails (manual checks, paper log, replacement unit on site).

Pull out your visitor log and correlate it with camera footage. “We logged this person in on Tuesday at 2 PM, and you can see them entering here at 2:03 PM.”

Alarms. Walk the assessor through the alarm control panel. Show after-hours settings. Provide documentation from your security company confirming monitoring is active. If you’re the responder, explain your process: alarm goes off, you get a call, you show up, you document what happened.

Common failures

What gets flagged

No camera system. You said you have cameras but can't show them. Or the building camera system exists but doesn't cover the server room.

No retention. Cameras are set to overwrite after 5 days. You can't investigate last month's concern.

Cameras are not synced. Timestamps don't line up with visitor logs.

No access logs for restricted areas. You have a server closet but no record of who goes in and out.

What passes

Basic IP camera system with 30-day cloud or NVR retention. Covers entry and server area. You show video from this week. Timestamps match your visitor log. Access logs for the server room show who went in and when. When the assessor asks about any of it, you can pull it up on the spot.

Q&A: What the assessor asks and what good answers sound like

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: "Walk me through your camera system. How much do you retain?"
"[Pull up the camera interface] We cover the front entry, back entry, and server room. Video is stored on an NVR on site with at least 30 days of retention. I can pull up any footage you want to see."
Assessor: "Can you show me footage from a visitor that was here last week?"
"[Pull up the visitor log] John Smith signed in on the 15th at 2 PM. [Go to camera timestamp] Here's John arriving at the front door. And here's him leaving at 3:15 PM. He never entered the server room."
Assessor: "What happens if someone tries to tamper with camera footage?"
"Only I and our IT manager have access to the camera system and NVR. Access is logged. If footage is deleted or altered, the system logs that event."
Assessor: "Who has access to the server room and how do you track it?"
"[Pull up the access log] Only three people have the key: myself, our IT manager, and the office manager as backup. We log every entry. Here's the log from this month. You can see who went in and when."

If you use an MSP/MSSP

If your MSP manages the facility cameras, get documentation showing what you retain and how you access footage. If they host the NVR on their infrastructure, confirm retention SLA in writing. You still need to show the assessor that you can pull footage when needed and that your SSP describes your actual setup, not a generic template.

Same for environmental monitoring. If the MSP’s HVAC system logs temperature, get read access to that data or ask them to provide weekly reports you keep on file.

This page reflects CMMC guidance as of March 2026. Assessor preferences vary. Document your actual controls in your SSP, not what you wish you had.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SC.L2-3.13.1: Boundary Protection All Practices PE.L2-3.10.1: Limit Physical Access →