CMMC Level 2 Implementation Guide July 3, 2026 · 9 min read

How to Implement CMMC Level 2 Physical Protection (PE) Requirements

Physical Protection is the domain that reminds organizations that cybersecurity is not purely a digital problem. If someone can walk into your server room, plug in a USB drive, and walk out, your firewall rules are irrelevant. Six practices covering facility access, visitor management, physical monitoring, access device control, and remote work site security. Here is how to implement each one and what evidence an assessor will expect.

Scoping PE Correctly

The question is not "do we have physical security?" Most organizations do. The question is whether it specifically covers the areas where CUI systems live, and whether you can prove it.

The PE domain applies to the physical spaces where CUI systems are located and operated. This means the server room, network equipment closets, areas where CUI workstations are used, and any alternate work sites where employees access CUI (including home offices). It does not require that your entire building be a secure facility. Just the areas in scope.

Defining your CUI boundary in your System Security Plan is the prerequisite. Once you know which physical spaces are in scope, the PE controls you need to apply become concrete and finite. Organizations that have not done that boundary definition tend to either over-scope (treating the entire building as a secure zone) or under-scope (assuming the server room is the only relevant space while ignoring the open-plan office where CUI workstations live).

Shared facilities: If your organization operates in a shared office building or co-working space, your PE controls must account for the shared environment. You cannot control the building lobby, but you can control the door to your suite and the server closet within it. Document what you control and what building management controls, and ensure your policy reflects the shared environment reality.

Practice-by-Practice Breakdown

3.10.1

Limit physical access to CUI systems and operating environments to authorized individuals

The foundational PE practice: only authorized personnel can physically access the areas where CUI systems are located. This means controlling entry, not just hoping the right people show up.

Common mistake: Treating the server room key as a communal resource. If the key hangs on a hook in the IT office and anyone in IT can grab it, that is not controlled access; that is controlled storage of an uncontrolled access device. Physical access should be individual and traceable.

3.10.2

Protect and monitor the physical facility and support infrastructure

Beyond controlling who enters, 3.10.2 requires protecting the facility itself and monitoring it. Support infrastructure includes power, HVAC, and network cabling, the physical underpinnings of your systems.

Common mistake: Installing cameras in the lobby and common areas but not covering the server room door or the interior of the server room itself. If the monitoring does not cover the areas where CUI systems are physically located, it does not satisfy 3.10.2 for those areas.

3.10.3 + 3.10.4

Escort visitors and maintain physical access audit logs

A visitor log that says "John Smith, 2pm" with no escort noted and no departure time is a paper artifact, not an access control.

3.10.3 requires escorting visitors and monitoring their activity in areas where CUI systems are accessible. 3.10.4 requires maintaining audit logs of physical access events.

Common mistake: A paper visitor log at the front desk that records arrival but not departure, has no escort name, and is filed away without anyone reviewing it. A log that is never reviewed for anomalies is evidence retention, not a control. Build a periodic review step into your physical security procedures.

3.10.5

Control and manage physical access devices

Physical access devices (keycards, badges, physical keys, key fobs, PINs) must be managed as carefully as digital credentials. Lost devices create unauthorized access risk until deactivated; untracked devices mean you do not know who can enter your controlled areas.

Common mistake: Using a single shared door code for the server room that has never been changed and is known to current and former employees alike. Shared, static PIN codes are the physical security equivalent of a shared password: convenient for users, convenient for unauthorized access.

3.10.6

Enforce safeguarding measures for CUI at alternate work sites

Remote workers who access CUI systems from home or other alternate locations are subject to PE requirements. Your organization cannot control the physical security of an employee's home, but you can define minimum safeguards and require employees to implement them.

Common mistake: Having a remote work policy that covers VPN usage and device management but says nothing about the physical security of the work environment. 3.10.6 is specifically about the physical space, not the network connection. If your remote work policy does not address physical access, screen positioning, and household member restrictions, it does not fully satisfy the practice.

What Assessors Will Ask and Check

PE assessments combine documentation review with physical inspection. In a remote assessment, the physical inspection is replaced by photographs, floor plans, and interview questions about physical controls. Be prepared for:

Quick win for small organizations: If you do not have a badge access system and use physical keys, a key control log (a sign-out sheet when keys are removed from a locked key cabinet) satisfies the audit log requirement for 3.10.4. It is not elegant, but it is auditable, and an assessor can verify it. The log beats "we keep the key in the IT office" every time.

Need the Policy Document?

Our CMMC Level 2 Physical Protection Policy template covers all 6 PE practices in formal policy language. Includes facility access authorization procedures, visitor escort and logging requirements, physical access device management, monitoring requirements, and alternate work site security controls. Editable .docx, ready to customize in under an hour.

Download the PE Policy Template →

Frequently Asked Questions

Practice 3.10.1 requires limiting physical access to CUI systems and operating environments to authorized individuals. Areas where CUI systems are located must have access controls that prevent unauthorized entry: locked doors with keycard, key, PIN, or biometric access. The server room, network equipment closets, and any area where CUI systems are physically located must have controlled, documented access limited to authorized personnel.
Practice 3.10.3 requires escorting visitors and monitoring their activity in areas containing CUI systems. Visitors must not be left unescorted in those areas. Practice 3.10.4 requires maintaining audit logs of physical access; for visitors, this means a visitor log recording who visited, when, who escorted them, and when they departed. Electronic badge systems satisfy both practices more effectively than paper logs.
Yes. Practice 3.10.6 requires enforcing safeguarding measures for CUI at alternate work sites, including employee home offices. Your policy should address: locking screens when away from the device, not allowing household members to use work devices, securing CUI documents, and reporting lost or stolen devices. These requirements should be documented in a remote work agreement that employees sign.
Practice 3.10.4 requires maintaining audit logs of physical access. Electronic badge systems automatically log entry and exit with timestamps. Paper sign-in logs are acceptable for visitor access. At minimum, logs should capture the individual's name or badge ID, date and time of entry and exit, and the area accessed. Retain logs for at least one year and review periodically for anomalies.
Practice 3.10.5 applies to keycards, badges, key fobs, physical keys, and PIN codes used for physical access to controlled areas. Managing them means maintaining an issued device inventory, recovering devices during offboarding, deactivating lost or stolen devices promptly, and auditing who has active access annually. Shared, static PIN codes that never change are a common finding under this practice.

More CMMC Implementation Guides

👥Personnel Security (PS)Read → 💾Media Protection (MP)Read → 🔧Maintenance (MA)Read → 🔒Access Controls (AC)Read → 🚨Incident Response (IR)Read → How to Pass a CMMC AssessmentRead →
📫

Get the Free CMMC Level 2 Practice Checklist

No spam. Practical guidance on CMMC compliance and new resources when we publish them.