Deretti Cyber Labs CMMC Desk · Domains · Physical Protection

Physical protection.

The lock on the door is part of the security program too.

Physical Protection is 6 of Level 2’s 110 requirements. It’s the family that has nothing to do with software: who can walk into the building or the room where CUI-handling systems live, who’s watched while they’re there, and what happens when CUI has to be handled somewhere other than the usual office — a home office, a job site, a hotel room.

This page explains the family. It does not replace the requirement text or assessment objectives.

01What this family protects

Physical Protection protects the simple fact that a system’s other controls don’t matter much if someone can walk up to the hardware itself. Access control, encryption, and logging all assume a baseline of physical control over the equipment they run on; PE is what establishes that baseline.

02The rule says

All 6 requirements, condensed to their operative sentence. NIST SP 800-171 Rev. 2 §3.10 has the full text and discussion for each; Source Library covers when to open it.

The 6 Physical Protection requirements of NIST SP 800-171 Revision 2
§Requirement
3.10.1Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
3.10.2Protect and monitor the physical facility and support infrastructure for organizational systems.
3.10.3Escort visitors and monitor visitor activity.
3.10.4Maintain audit logs of physical access.
3.10.5Control and manage physical access devices.
3.10.6Enforce safeguarding measures for CUI at alternate work sites.
3.10.3, 3.10.4, and 3.10.5 cannot sit on a POA&M

At Level 2, six requirements are categorically excluded from a POA&M regardless of score or point value — and three of them are in this family: PE.L2-3.10.3 (escort visitors), PE.L2-3.10.4 (physical access logs), and PE.L2-3.10.5 (manage physical access devices). All three have to be MET; none can be an open item with a completion date — half of this desk’s six categorical exclusions live in Physical Protection alone. 32 CFR 170.21(a)(2). See the Evidence, SSP & POA&M page for the rest of the POA&M mechanics.

03In practice

Limiting and monitoring access (3.10.1–3.10.2). Physical access to the spaces and equipment involved in CUI processing is limited to people with real authorization — badges, keys, or similar credentials — and both the facility and its supporting infrastructure (wiring closets, power, network runs) get some form of protection and monitoring, whether that’s a guard, a camera, or simply locked doors.

Visitors and logs (3.10.3–3.10.4). Anyone without standing physical-access authorization is a visitor by definition, and visitors get escorted and watched while they’re in a controlled area. Physical access — visitor or otherwise — gets logged in some form, procedural or automated; a paper sign-in sheet counts as much as a badge-reader export.

Access devices and alternate work sites (3.10.5–3.10.6). Keys, combinations, and card credentials themselves get managed — issued, tracked, revoked — as deliberately as any digital credential. And when CUI work happens somewhere other than the main facility — a home office, a client site — the same kind of safeguarding applies there too, scaled to what that site actually needs.

04Where it fails

The one that slips is usually the visitor log (3.10.4) — a sign-in sheet that exists but nobody ever reviews it, or a shop floor that lets a familiar face in without one because everyone already knows him. The second is alternate work sites (3.10.6): a laptop with CUI access goes home with an employee, and the same physical-security thinking that applies to the office — screen visibility, unattended devices, who else is in the room — never gets extended to the kitchen table it’s now sitting on.

05What evidence may look like

A visitor sign-in log or badge-access export; documentation of who holds keys or access credentials and when they were issued or revoked; physical safeguards for the server room or equivalent (a lock, a camera, a monitored door); and a short remote-work or alternate-site policy covering what CUI-handling employees are expected to do outside the main facility.

06At the shop

At the shop

Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). Blanchard keeps the server closet locked with a keyed deadbolt — only the two IT staff and the owner have a key, tracked on a simple sign-out sheet taped inside the electrical panel. Visitors sign a paper log at the front desk and wear a badge marked “escort required”; the shop-floor supervisor walks anyone from outside straight to whoever they’re there to see. One engineer works from home two days a week on a company laptop with a privacy screen and a locking cable — a habit picked up after the MSP flagged it during the SSP review.

07Commonly confused with

Access Control (AC). AC governs who can log into a system and what they can do once they’re in; PE governs who can physically be in the room with the hardware at all. A visitor with no system account can still be a physical-access problem PE has to cover. See Access Control.

09Sources

Primary sources for the Physical Protection family
DocumentWhat it’s for
NIST SP 800-171 Rev. 2, §3.10Full requirement text and discussion for all 6 PE requirements.
NIST SP 800-171AAssessment objectives — how an assessor determines MET for each PE requirement.
NIST SP 800-46 / SP 800-114Enterprise and user telework guidance, cited in the rule’s discussion of 3.10.6.
32 CFR 170.21(a)(2)The Level 2 POA&M rule, including the six categorical exclusions — three of which (3.10.3, 3.10.4, 3.10.5) belong to this family.
32 CFR 170.4Defines “CMMC Level 2 security requirement” and ties the 800-171 R2 families to the CMMC Program.