PE.L2-3.10.5

PE.L2-3.10.5: Manage Physical Access

Control physical access to output devices and storage media to prevent unauthorized access to CUI.

A printer spits out a confidential document. A USB drive with customer data sits on a desk. Storage media is left in a common area. Without controlling access, anyone can walk by and grab CUI. Restrict access to output devices and storage media. This practice works with PE.L2-3.10.1 (limiting facility access) to control physical touchpoints and connects to MP.L2-3.8.1 for media protection.

Family Physical Protection
Practice PE.L2-3.10.5
Difficulty Medium
Key evidence Inventory of devices, documentation of controls, photos or descriptions of physical layout

What the assessor is actually evaluating

The assessor is checking: (1) Where are your output devices and storage media located? (2) Can unauthorized people access them? (3) What controls limit access? You don’t need to lock everything up. You need to be intentional about placement and access. A printer in a secure office is controlled. A printer in the hallway is not.

This applies to printers, copiers, external drives, backup tapes, USB sticks, or any device that stores or outputs CUI.

What a realistic SSP definition looks like

PE.L2-3.10.5 Manage Physical Access to Output Devices

Output devices and storage media are controlled to prevent unauthorized access to CUI:

  • Printers handling CUI are located in [secure office/designated area], not in common areas
  • External drives and backup tapes are stored in [locked cabinet/secure location]
  • USB devices are issued to authorized personnel only and stored securely when not in use
  • Portable devices (laptops handling CUI) are stored in locked cabinets or offices when unattended

Printed CUI is collected promptly from output devices. Unclaimed output is shredded daily. Storage media is inventoried [monthly] and accessed logs are maintained if applicable.

Only authorized personnel have access to areas containing output devices or storage media.

How to present your evidence

Gather these items:
  • List or inventory of output devices (printers, copiers, external drives)
  • Documentation of device locations and physical controls (locked room, cabinet, office)
  • Photos or descriptions showing where CUI output devices are located
  • Storage media inventory or log
  • Policies for handling printed CUI (collection, shredding, etc.)
  • USB device tracking if applicable

Common failures

What gets flagged

Shared printer in hallway. CUI is printed to a shared office printer in a common area. Anyone walking by can see or grab the output. Move the CUI printer to a secure area or implement immediate collection.

Media on desks. External drives or USB sticks with CUI are left on desks or in open areas. Implement a rule: media must be stored securely. Provide locked cabinets or drawers.

No inventory of devices. You don't know what output devices you have or where they are. Create a list and document the controls on each.

What makes assessors move on satisfied

You're good here. Your CUI printer is in a secure office. Printed output is collected promptly and shredded. External drives are stored in a locked cabinet. Only authorized personnel have access to these areas. Assessors confirm and move on.

If you use an MSP/MSSP

Physical control of output devices and storage media is your responsibility. Your MSP has no role unless they manage your physical equipment or office space. Even then, you decide where devices are located and what access controls apply. Your MSP executes on your direction.

Physical security decisions are yours to make. If an MSP manages IT infrastructure or devices in your office, they should follow your physical control policy. They shouldn’t place printers, external drives, or storage media in unsecured areas. If they manage equipment, require contractual language stating they’ll follow your physical security policies and allow you to inspect device placement and access controls.

Enforce physical controls on MSP-managed equipment

If your MSP manages IT equipment that handles or outputs CUI, require them to follow your physical access control policy. Specifically, printers must be in secure areas, storage media must be locked, and access logs must be maintained. Periodically verify that MSP-managed equipment is physically located according to your requirements and that access controls are in place.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks

Q: "Where are your printers that handle CUI?" A: "The CUI printer is in [location]. It's in a secure office with restricted access. General printing happens on [other printer] in [area]." [Can pull up photos or describe layout]

Q: “How do you control access?" A: “The office is locked. Only [team] has access. When someone needs to print something, they’re in the room with the printer.”

Q: “What about printed output? Where does it go?" A: “It’s collected daily and stored in a locked bin. [Person] shreds it at end of day or when full.”

Q: “How do you handle external drives and backup tapes?" A: “They’re stored in a locked cabinet in [location]. Only IT can access them.”

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← PE.L2-3.10.6: Alternative Work Sites All Practices PE.L2-3.10.4: Physical Access Logs →