What does PE.L2-3.10.5 require for CMMC Level 2?

You must control physical access to output devices and storage media (printers, external drives, backup tapes, etc.) that contain or handle CUI.

What evidence do I need for PE.L2-3.10.5?

Documentation of where output devices are located, access controls (locked cabinets, restricted areas), and policies for handling output media.

What's the most common failure for PE.L2-3.10.5?

Printers and output devices sit in open areas where anyone can access printed CUI. Or external drives and backup tapes are left on desks. Control where these devices are and who can access them.

PE.L2-3.10.5

PE.L2-3.10.5: Manage Physical Access

Control physical access to output devices and storage media to prevent unauthorized access to CUI.

Updated March 30, 2026

A printer spits out a confidential document. A USB drive with customer data sits on a desk. Storage media is left in a common area. Without controlling access, anyone can walk by and grab CUI. Restrict access to output devices and storage media. This practice works with PE.L2-3.10.1 (limiting facility access) to control physical touchpoints and connects to MP.L2-3.8.1 for media protection.

Family Physical Protection

Practice PE.L2-3.10.5

Difficulty Medium

Key evidence Inventory of devices, documentation of controls, photos or descriptions of physical layout

What the assessor is actually evaluating

The assessor is checking: (1) Where are your output devices and storage media located? (2) Can unauthorized people access them? (3) What controls limit access? You don’t need to lock everything up. You need to be intentional about placement and access. A printer in a secure office is controlled. A printer in the hallway is not.

This applies to printers, copiers, external drives, backup tapes, USB sticks, or any device that stores or outputs CUI.

What a realistic SSP definition looks like

PE.L2-3.10.5 Manage Physical Access to Output Devices

Output devices and storage media are controlled to prevent unauthorized access to CUI:

Printers handling CUI are located in [secure office/designated area], not in common areas
External drives and backup tapes are stored in [locked cabinet/secure location]
USB devices are issued to authorized personnel only and stored securely when not in use
Portable devices (laptops handling CUI) are stored in locked cabinets or offices when unattended

Printed CUI is collected promptly from output devices. Unclaimed output is shredded daily. Storage media is inventoried [monthly] and accessed logs are maintained if applicable.

Only authorized personnel have access to areas containing output devices or storage media.

How to present your evidence

Gather these items:

List or inventory of output devices (printers, copiers, external drives)
Documentation of device locations and physical controls (locked room, cabinet, office)
Photos or descriptions showing where CUI output devices are located
Storage media inventory or log
Policies for handling printed CUI (collection, shredding, etc.)
USB device tracking if applicable

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "Where are your printers that handle CUI?" A: "The CUI printer is in [location]. It's in a secure office with restricted access. General printing happens on [other printer] in [area]." [Can pull up photos or describe layout]

Q: “How do you control access?" A: “The office is locked. Only [team] has access. When someone needs to print something, they’re in the room with the printer.”

Q: “What about printed output? Where does it go?" A: “It’s collected daily and stored in a locked bin. [Person] shreds it at end of day or when full.”

Q: “How do you handle external drives and backup tapes?" A: “They’re stored in a locked cabinet in [location]. Only IT can access them.”

Common failures

Shared printer in hallway. CUI is printed to a shared office printer in a common area. Anyone walking by can see or grab the output. Move the CUI printer to a secure area or implement immediate collection.

Media on desks. External drives or USB sticks with CUI are left on desks or in open areas. Implement a rule: media must be stored securely. Provide locked cabinets or drawers.

No inventory of devices. You don't know what output devices you have or where they are. Create a list and document the controls on each.

You're good here. Your CUI printer is in a secure office. Printed output is collected promptly and shredded. External drives are stored in a locked cabinet. Only authorized personnel have access to these areas. Assessors confirm and move on.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Practical implementation

Make a list of devices and media:

Where is the CUI printer? Secure office or common area?
Where are external drives, backup tapes, USB devices stored?
Where are laptops or workstations handling CUI stored when not in use?
Who has access to each area?

For each, determine if access is controlled:

Locked room: Yes
Locked cabinet/drawer: Yes
Open desk: No (move it)
Shared printer in hallway: No (move it or restrict access)

Apply the rule: Output devices and storage media containing CUI must be in areas with restricted access.

Handling printed output

If CUI is printed:

Collect promptly (don’t leave on the printer)
Store in a locked bin or cabinet
Shred when done or regularly (daily, weekly)
Don’t leave on desks

Designate someone to manage printed CUI. Make it a routine task.

If you have shared office spaces or visitor access

If your office is shared with other tenants or you have frequent visitors, secure your CUI printer in a locked room or office, not in common areas. Same for storage media. Keep it where visitors and other tenants cannot access it.

If you use an MSP/MSSP

Physical control of output devices and storage media is your responsibility. Your MSP has no role unless they manage your physical equipment or office space. Even then, you decide where devices are located and what access controls apply. Your MSP executes on your direction.

Physical security decisions are yours to make. If an MSP manages IT infrastructure or devices in your office, they should follow your physical control policy. They shouldn’t place printers, external drives, or storage media in unsecured areas. If they manage equipment, require contractual language stating they’ll follow your physical security policies and allow you to inspect device placement and access controls.

Enforce physical controls on MSP-managed equipment

If your MSP manages IT equipment that handles or outputs CUI, require them to follow your physical access control policy. Specifically, printers must be in secure areas, storage media must be locked, and access logs must be maintained. Periodically verify that MSP-managed equipment is physically located according to your requirements and that access controls are in place.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← PE.L2-3.10.6: Alternative Work Sites All Practices PE.L2-3.10.4: Physical Access Logs →