CMMC Level 2Implementation GuideJuly 3, 2026· 9 min read
How to Implement CMMC Level 2 Physical Protection (PE) Requirements
Physical Protection is the domain that reminds organizations that cybersecurity is not purely a digital problem. If someone can walk into your server room, plug in a USB drive, and walk out, your firewall rules are irrelevant. Six practices covering facility access, visitor management, physical monitoring, access device control, and remote work site security. Here is how to implement each one and what evidence an assessor will expect.
Scoping PE Correctly
The question is not "do we have physical security?" Most organizations do. The question is whether it specifically covers the areas where CUI systems live, and whether you can prove it.
The PE domain applies to the physical spaces where CUI systems are located and operated. This means the server room, network equipment closets, areas where CUI workstations are used, and any alternate work sites where employees access CUI (including home offices). It does not require that your entire building be a secure facility. Just the areas in scope.
Defining your CUI boundary in your System Security Plan is the prerequisite. Once you know which physical spaces are in scope, the PE controls you need to apply become concrete and finite. Organizations that have not done that boundary definition tend to either over-scope (treating the entire building as a secure zone) or under-scope (assuming the server room is the only relevant space while ignoring the open-plan office where CUI workstations live).
Shared facilities: If your organization operates in a shared office building or co-working space, your PE controls must account for the shared environment. You cannot control the building lobby, but you can control the door to your suite and the server closet within it. Document what you control and what building management controls, and ensure your policy reflects the shared environment reality.
Practice-by-Practice Breakdown
3.10.1
Limit physical access to CUI systems and operating environments to authorized individuals
The foundational PE practice: only authorized personnel can physically access the areas where CUI systems are located. This means controlling entry, not just hoping the right people show up.
Server rooms and network equipment closets must have locked access, controlled by keycard, key, PIN, or biometric. "The door is usually closed" is not an access control
Maintain an access authorization list for each controlled area: the specific individuals authorized to enter, updated when employees join, leave, or change roles
Workstation areas where CUI is regularly processed should also have access controls. For open-plan offices this typically means a locked suite door, screen lock policies, and a clean desk policy rather than individual workstation enclosures
If you use a shared server room or data center, verify that the colocation provider's access controls satisfy the requirement for that space and document it in your SSP
Review physical access authorization lists at least annually to ensure they reflect current staff
Common mistake: Treating the server room key as a communal resource. If the key hangs on a hook in the IT office and anyone in IT can grab it, that is not controlled access; that is controlled storage of an uncontrolled access device. Physical access should be individual and traceable.
3.10.2
Protect and monitor the physical facility and support infrastructure
Beyond controlling who enters, 3.10.2 requires protecting the facility itself and monitoring it. Support infrastructure includes power, HVAC, and network cabling, the physical underpinnings of your systems.
Physical monitoring typically means cameras covering entry points to controlled areas, server rooms, and critical infrastructure. Camera coverage does not need to be comprehensive across the entire facility, but areas where CUI systems are physically accessible should be monitored
Protect support infrastructure: power distribution (UPS, PDUs), HVAC systems for the server room, and network cabling runs should be physically protected from tampering or accidental damage. Unlocked electrical panels and exposed cabling runs in accessible areas are vulnerabilities
Maintain records of the monitoring systems in place: what cameras exist, where they cover, and how recordings are retained. Assessors will ask how you monitor physical access to controlled areas
Environmental monitoring for the server room (temperature, humidity, water detection) protects against accidental infrastructure failure. While not strictly a PE compliance requirement, it aligns with the spirit of the practice and is expected in a mature program
Common mistake: Installing cameras in the lobby and common areas but not covering the server room door or the interior of the server room itself. If the monitoring does not cover the areas where CUI systems are physically located, it does not satisfy 3.10.2 for those areas.
3.10.3 + 3.10.4
Escort visitors and maintain physical access audit logs
A visitor log that says "John Smith, 2pm" with no escort noted and no departure time is a paper artifact, not an access control.
3.10.3 requires escorting visitors and monitoring their activity in areas where CUI systems are accessible. 3.10.4 requires maintaining audit logs of physical access events.
Visitor escort: Any non-employee who enters a controlled area must be escorted by an authorized employee for the duration of their visit. This includes vendors, contractors, delivery personnel, and anyone else who is not an authorized employee. Do not leave visitors unattended in server rooms or areas with CUI workstations
Visitor log: Maintain a log recording each visit: visitor name, organization, date and time of arrival and departure, purpose of visit, and the name of the authorized employee who escorted them. Electronic systems that require badge-in at a reception desk work well here; paper logs at a reception desk are acceptable
Physical access audit logs: For controlled areas with badge access, the badge system logs satisfy 3.10.4 automatically. If physical keys are used, implement a manual log-out/log-in process when keys are issued and returned. Retain physical access logs for at least one year
Review access logs periodically for anomalies: access outside business hours, access by individuals who should no longer have authorization, or repeated access by the same individual to areas outside their normal work area
Common mistake: A paper visitor log at the front desk that records arrival but not departure, has no escort name, and is filed away without anyone reviewing it. A log that is never reviewed for anomalies is evidence retention, not a control. Build a periodic review step into your physical security procedures.
3.10.5
Control and manage physical access devices
Physical access devices (keycards, badges, physical keys, key fobs, PINs) must be managed as carefully as digital credentials. Lost devices create unauthorized access risk until deactivated; untracked devices mean you do not know who can enter your controlled areas.
Maintain an inventory of all issued physical access devices: device identifier (badge number, key number), the individual it was issued to, and the areas it grants access to
Deactivate access devices immediately when an employee leaves. This is part of your offboarding process and ties directly to PS practice 3.9.2; physical credential recovery should be on the offboarding checklist
Establish a process for lost or stolen access devices: employees must report immediately, and the device must be deactivated in the access control system before a replacement is issued
For PIN-based access systems, change PINs when an employee with PIN knowledge leaves, and ensure PINs are not shared (each authorized individual should have their own PIN, not share a common door code)
Audit issued access devices at least annually: compare your access device inventory against your current employee and contractor roster to identify devices that should have been recovered or deactivated
Common mistake: Using a single shared door code for the server room that has never been changed and is known to current and former employees alike. Shared, static PIN codes are the physical security equivalent of a shared password: convenient for users, convenient for unauthorized access.
3.10.6
Enforce safeguarding measures for CUI at alternate work sites
Remote workers who access CUI systems from home or other alternate locations are subject to PE requirements. Your organization cannot control the physical security of an employee's home, but you can define minimum safeguards and require employees to implement them.
Define alternate work site security requirements in a remote work security policy or in the PE policy itself. Minimum requirements typically include: locking workstation screens when away from the device, not allowing household members or guests to use work devices, physically securing CUI documents printed at home (no CUI on the kitchen table during a video call), and reporting lost or stolen devices immediately
Employees working from home should use dedicated work areas where possible, with screens positioned to prevent shoulder surfing by household members or visitors
For high-sensitivity CUI access, consider requiring that remote work occur in a dedicated, lockable home office space. This can be a contract requirement for employees in particularly sensitive roles
Include alternate work site security requirements in the remote work agreement employees sign. The signed agreement is your evidence that requirements were communicated and acknowledged
CUI should not be printed at alternate work sites unless your policy explicitly addresses how printed CUI is handled and disposed of outside the office
Common mistake: Having a remote work policy that covers VPN usage and device management but says nothing about the physical security of the work environment. 3.10.6 is specifically about the physical space, not the network connection. If your remote work policy does not address physical access, screen positioning, and household member restrictions, it does not fully satisfy the practice.
What Assessors Will Ask and Check
PE assessments combine documentation review with physical inspection. In a remote assessment, the physical inspection is replaced by photographs, floor plans, and interview questions about physical controls. Be prepared for:
Documentation: Physical protection policy, access authorization lists for each controlled area, visitor log samples, physical access device inventory, and remote work agreements
Physical evidence: Photos of server room door with access control hardware, camera placement, visitor log, and any posted signage on controlled areas
System evidence: Badge access system logs for controlled areas, showing who entered and when. Access control system reports showing current authorized users by area
Interviews: Assessors will ask staff how visitors are handled, what the process is for a lost badge, and what remote workers are told about physical security at home. Inconsistencies between policy and what staff describe will generate findings
Quick win for small organizations: If you do not have a badge access system and use physical keys, a key control log (a sign-out sheet when keys are removed from a locked key cabinet) satisfies the audit log requirement for 3.10.4. It is not elegant, but it is auditable, and an assessor can verify it. The log beats "we keep the key in the IT office" every time.
Need the Policy Document?
Our CMMC Level 2 Physical Protection Policy template covers all 6 PE practices in formal policy language. Includes facility access authorization procedures, visitor escort and logging requirements, physical access device management, monitoring requirements, and alternate work site security controls. Editable .docx, ready to customize in under an hour.
Practice 3.10.1 requires limiting physical access to CUI systems and operating environments to authorized individuals. Areas where CUI systems are located must have access controls that prevent unauthorized entry: locked doors with keycard, key, PIN, or biometric access. The server room, network equipment closets, and any area where CUI systems are physically located must have controlled, documented access limited to authorized personnel.
Practice 3.10.3 requires escorting visitors and monitoring their activity in areas containing CUI systems. Visitors must not be left unescorted in those areas. Practice 3.10.4 requires maintaining audit logs of physical access; for visitors, this means a visitor log recording who visited, when, who escorted them, and when they departed. Electronic badge systems satisfy both practices more effectively than paper logs.
Yes. Practice 3.10.6 requires enforcing safeguarding measures for CUI at alternate work sites, including employee home offices. Your policy should address: locking screens when away from the device, not allowing household members to use work devices, securing CUI documents, and reporting lost or stolen devices. These requirements should be documented in a remote work agreement that employees sign.
Practice 3.10.4 requires maintaining audit logs of physical access. Electronic badge systems automatically log entry and exit with timestamps. Paper sign-in logs are acceptable for visitor access. At minimum, logs should capture the individual's name or badge ID, date and time of entry and exit, and the area accessed. Retain logs for at least one year and review periodically for anomalies.
Practice 3.10.5 applies to keycards, badges, key fobs, physical keys, and PIN codes used for physical access to controlled areas. Managing them means maintaining an issued device inventory, recovering devices during offboarding, deactivating lost or stolen devices promptly, and auditing who has active access annually. Shared, static PIN codes that never change are a common finding under this practice.