Physical protection.
The lock on the door is part of the security program too.
Physical Protection is 6 of Level 2’s 110 requirements. It’s the family that has nothing to do with software: who can walk into the building or the room where CUI-handling systems live, who’s watched while they’re there, and what happens when CUI has to be handled somewhere other than the usual office — a home office, a job site, a hotel room.
This page explains the family. It does not replace the requirement text or assessment objectives.
01What this family protects
Physical Protection protects the simple fact that a system’s other controls don’t matter much if someone can walk up to the hardware itself. Access control, encryption, and logging all assume a baseline of physical control over the equipment they run on; PE is what establishes that baseline.
02The rule says
All 6 requirements, condensed to their operative sentence. NIST SP 800-171 Rev. 2 §3.10 has the full text and discussion for each; Source Library covers when to open it.
| § | Requirement |
|---|---|
| 3.10.1 | Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. |
| 3.10.2 | Protect and monitor the physical facility and support infrastructure for organizational systems. |
| 3.10.3 | Escort visitors and monitor visitor activity. |
| 3.10.4 | Maintain audit logs of physical access. |
| 3.10.5 | Control and manage physical access devices. |
| 3.10.6 | Enforce safeguarding measures for CUI at alternate work sites. |
At Level 2, six requirements are categorically excluded from a POA&M regardless of score or point value — and three of them are in this family: PE.L2-3.10.3 (escort visitors), PE.L2-3.10.4 (physical access logs), and PE.L2-3.10.5 (manage physical access devices). All three have to be MET; none can be an open item with a completion date — half of this desk’s six categorical exclusions live in Physical Protection alone. 32 CFR 170.21(a)(2). See the Evidence, SSP & POA&M page for the rest of the POA&M mechanics.
03In practice
Limiting and monitoring access (3.10.1–3.10.2). Physical access to the spaces and equipment involved in CUI processing is limited to people with real authorization — badges, keys, or similar credentials — and both the facility and its supporting infrastructure (wiring closets, power, network runs) get some form of protection and monitoring, whether that’s a guard, a camera, or simply locked doors.
Visitors and logs (3.10.3–3.10.4). Anyone without standing physical-access authorization is a visitor by definition, and visitors get escorted and watched while they’re in a controlled area. Physical access — visitor or otherwise — gets logged in some form, procedural or automated; a paper sign-in sheet counts as much as a badge-reader export.
Access devices and alternate work sites (3.10.5–3.10.6). Keys, combinations, and card credentials themselves get managed — issued, tracked, revoked — as deliberately as any digital credential. And when CUI work happens somewhere other than the main facility — a home office, a client site — the same kind of safeguarding applies there too, scaled to what that site actually needs.
04Where it fails
The one that slips is usually the visitor log (3.10.4) — a sign-in sheet that exists but nobody ever reviews it, or a shop floor that lets a familiar face in without one because everyone already knows him. The second is alternate work sites (3.10.6): a laptop with CUI access goes home with an employee, and the same physical-security thinking that applies to the office — screen visibility, unattended devices, who else is in the room — never gets extended to the kitchen table it’s now sitting on.
05What evidence may look like
A visitor sign-in log or badge-access export; documentation of who holds keys or access credentials and when they were issued or revoked; physical safeguards for the server room or equivalent (a lock, a camera, a monitored door); and a short remote-work or alternate-site policy covering what CUI-handling employees are expected to do outside the main facility.
06At the shop
Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). Blanchard keeps the server closet locked with a keyed deadbolt — only the two IT staff and the owner have a key, tracked on a simple sign-out sheet taped inside the electrical panel. Visitors sign a paper log at the front desk and wear a badge marked “escort required”; the shop-floor supervisor walks anyone from outside straight to whoever they’re there to see. One engineer works from home two days a week on a company laptop with a privacy screen and a locking cable — a habit picked up after the MSP flagged it during the SSP review.
07Commonly confused with
Access Control (AC). AC governs who can log into a system and what they can do once they’re in; PE governs who can physically be in the room with the hardware at all. A visitor with no system account can still be a physical-access problem PE has to cover. See Access Control.
08Cross-desk links
None load-bearing for this family. See Access Control for the family PE most often gets confused with.
09Sources
| Document | What it’s for |
|---|---|
| NIST SP 800-171 Rev. 2, §3.10 | Full requirement text and discussion for all 6 PE requirements. |
| NIST SP 800-171A | Assessment objectives — how an assessor determines MET for each PE requirement. |
| NIST SP 800-46 / SP 800-114 | Enterprise and user telework guidance, cited in the rule’s discussion of 3.10.6. |
| 32 CFR 170.21(a)(2) | The Level 2 POA&M rule, including the six categorical exclusions — three of which (3.10.3, 3.10.4, 3.10.5) belong to this family. |
| 32 CFR 170.4 | Defines “CMMC Level 2 security requirement” and ties the 800-171 R2 families to the CMMC Program. |