How To Meet CMMC 2.0 and NIST SP 800-171 Physical Security Requirements

Today, physical security is very different from several years ago as technological devices have become smaller, lighter, and easily portable. Unfortunately, this has created enormous problems in controlled workplaces where data is continuously stolen, misused, or lost. NIST SP 800-171 Rev 2 and CMMC 2.0 mandates defense contractors to implement concrete security measures to address these issues. While securing information systems takes center stage in CUI protection, physical security is also critical. Physical protection refers to measures taken to protect tangible and intangible assets from physical occurrences that may damage your organization. Hence, all physical aspects include surveillance systems, locks, passwords, backups, entrances, exits, network infrastructure, and more. Because of the threat of stolen or damaged data, physical security is an integral part of NIST SP 800-171 compliance.  

CMMC 2.0 practices correspond to NIST SP 800-171 controls. Both NIST SP 800-171 and CMMC 2.0 have a physical protection requirement. Domain PE under CMMC and section 3.10 of the NIST SP 800-171 publication mandate several physical protection requirements. This article will detail how to meet the physical security requirements under NIST and CMMC 2.0.  

Enhancing Physical Access Control with IoT Devices for CMMC Compliance

Gone are the days of fumbling with keys and misplaced fobs. The Internet of Things (IoT) has ushered in a new era of physical access control that prioritizes security, convenience, and data-driven insights. Furthermore, IoT physical access devices help meet various NIST SP 800-171 and CMMC 2.0 requirements, particularly access control (AC), physical protection (PE), and identification and authentication (IA). More importantly, IoT physical access devices produce logs and other metadata that can be used in compliance audits. With IoT Physical access devices, your organization can track access attempts, successful entries, and user identities, fulfilling CMMC’s requirement for access logs. There are many IoT physical access devices, including:  

Smart locks  

These devices allow remote access control through your smartphone. They allow you to grant entry to authorized individuals after they have been properly authenticated. This can be done by keying in a PIN or an OTP obtained via your smartphone. Store CUI in locked SMART NFC drawers or RFID electronic cabinets and secure the room with a smart lock. However, smart locks can themselves be a target of cyberattacks. Thus, ensure you select one with robust security features.  

Biometric scanners/readers  

Physical access measures have improved so much, thanks to IoT. With Biometric devices, you can identify and authenticate users trying to access areas where CUI is being processed or stored. Since Biometric data is unique to each authorized individual, it can be used to verify their identity accurately. Ditch the cards and codes! Facial recognition systems scan your face, granting access only to authorized personnel, enhancing security and eliminating the need for physical credentials. Biometric authentication at its finest, fingerprint scanners provide unique and secure access control, ensuring only permitted individuals gain entry.  

Environment sensors  

Environmental sensors, particularly those leveraging Internet of Things (IoT) technology, can significantly meet the CMMC Physical Protection (PE) domain requirements, especially for Level 2 compliance. Temperature and humidity monitoring sensors ensure optimal environmental conditions for equipment and data storage, preventing damage and potential data loss. Early detection of fire hazards is crucial for protecting facilities and mitigating damage, and smoke and fire detection sensors play a critical role. Water is life, but at times, it may result in noncompliance. Ensure that you install water leak detection devices for prompt identification and response to water leaks to prevent equipment damage and data loss. Support infrastructure protection is another key requirement of the CMMC 2.0 PE domain. Install interconnected power monitoring gadgets using IoT to monitor power fluctuations and outages to ensure system uptime and data integrity. 

NIST SP 800-171 3.10.1 and CMMC Practice PE.L1-b.1.viii

Requirement: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

This requirement applies to visitors, employees, and persons with permanent physical access authorization credentials. Organizations should use a multi-layered approach to secure their physical environment and control physical access to sensitive information systems, equipment, and data. Use barriers like walls, doors, and access control systems to restrict physical access to sensitive areas housing IT equipment and data storage. Document personnel with physical access to your facility, and if multiple facilities process or store CUI, document which personnel have access to each facility. Physical access devices like keys should only be provided to authorized personnel. Hence, only professionals properly authorized using access mechanisms like key cards, PINs, badges, ID cards, etc., should be allowed entry into CUI environments. It means you should secure your entry points using security measures like PIN pads, Biometric authentication gadgets, or security guards.   

Implement measures to limit access to equipment to authorized personnel only. In this case, equipment includes external disk drives, monitors, printers, scanners, and copiers, among other computing devices. You can limit their access by placing them in locked rooms or secured areas. Additionally, you should monitor these locations to ensure only those authorized have access. Designate areas of your facility as “sensitive” and only allow authorized persons into those areas. Finally, put up signs reading “Authorized Personnel Only.” 

CMMC 2.0 and NIST SP 800-171 Physical Security Requirements for CUI

NIST SP 800-171 3.10.2 and CMMC Practice PE.L2 - 3.10.2

Requirement: Protect and monitor the physical facility and support infrastructure for organizational systems
NIST SP 800-171 3.10.1 and CMMC Practice PE.L1 - 3.10.1 CUI physical security requirements

Limiting physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals is not enough. You must also monitor physical access to publicly accessible areas in your organization. It helps you monitor what authorized individuals are doing. Monitoring can aid in incident response as you can act immediately if an event or incident arises. You can achieve this by installing sensor devices or video surveillance equipment like cameras or hiring guards. You must secure the support infrastructure in your facility by applying security controls that help prevent disruptions, accidental damage, and tampering. These controls also help avoid actions that may compromise CUI, such as modification of unencrypted transmission and eavesdropping. Locked or disconnected spare jacks, locked wiring closets, Wiretapped sensors, and using cable trays to protect cables are some physical access controls to safeguard support infrastructure.  

NIST SP 800-171 3.10.3 and CMMC Practice PE.L1 - 3.10.3

Requirement: Escort visitors and monitor visitor activity

In cybersecurity, there’s a common adage stating that every device that connects to your network is a likely attack surface. This also applies to physical security. Every visitor entering your facility may be a threat actor looking to access sensitive data or spaces. Hence, CMMC 2.0 and NIST SP 800-171 have identified this measure to ensure you know every guest and can monitor their actions throughout their visit. However, this practice distinguishes visitor access and authorized perpetual access. For instance, if you have hired contractors needing persistent regular access to your facility, you likely reviewed, approved, and established their access requirements during onboarding. This control/practice is only concerned with the physical security controls you have implemented for visitors such as vendors, employees’ personal contacts, clients, and other guests in your facility. This practice has two main requirements – escorting and monitoring visitors.   

physical security requirements CUI CMMC 2.0 NIST SP 800-171 physical protection

Identifying Visitors  

To monitor or escort visitors, your staff must properly identify them. Most organizations require that their employees wear branded clothing. However, you shouldn’t solely rely on this marker. A terminated employee may wear their company clothing and claim they are visiting you on behalf of their former employer. You can mitigate this risk by requiring that all visitors to your facility check-in, generally at the front desk. Collect visitor information (name, company, purpose of visit, contact details) upon arrival into your facility. However, have them show some form of identification, such as a driver’s license or professional badge, before they sign the visitor logs or receive the badge. They should be provided a visitor badge to wear throughout the visit.   

Escorting Visitors  

After the staff identifies the visitor in your facilities, this practice requires an employee to escort the guest throughout their visit. During their visit, restrict visitor access to CUI areas unless authorized personnel accompany them. Additionally, prohibit or tightly control the use of removable media like pen drives or NFC-enabled gadgets by visitors to prevent unauthorized data transfer. However, a real issue in achieving this requirement is tailgating or piggybacking. Tailgating, also called piggybacking, arises when a trusted or authorized individual enters a space such as a secure wing within your facility or lobby, and either a piggybacker follows them then close behind that they enter the space before the door shuts. This can also happen if the authorized personnel hold the door for the person behind them to enter.   

The guest then can access restricted spaces and, consequently, the devices or data stored therein, which they aren’t authorized to see. Tailgating is effective as it leverages the authorized individual’s goodwill and desire to appear welcoming. Thus, any organization must stress the essence of verifying the identities of any visitors to their facilities. They should also only allow personnel with prior authorization to enter spaces where CUI is being processed or stored.  

Monitoring Visitors  

During visitor escorts, your staff should monitor their activities to ensure they only interact with data and spaces they’re authorized to observe. This is particularly important if you hold export-controlled CUI like ITAR and information marked NOFORN. Take a vendor like technical support, for instance. Once they enter your facility, they are required to sign in. However, once inside, they can roam freely throughout the facility. Unless you implement proper physical safeguards, they could gain access to networking closets, computers, and other spaces containing CUI. Hence, visitors should not only be escorted but also monitored. You can implement various monitoring techniques for tracking where guests have been and are going. Such measures include badging systems, pin pads, security cameras mounted at facility entrances and exits, biometric devices, and visitor logs for high-risk and common areas.   

NIST SP 800-171 3.10.4 and CMMC Practice PE.L1 - 3.10.4

Requirement: Maintain audit logs of physical access

Monitoring and access devices or mechanisms result in logs that must be properly maintained. Audit logs of physical access can be a physical document that details individuals who have accessed different areas within the facility. This could be a sign-in sheet on which every visitor must enter details before entering the facility. For easier classification, you can have separate employee and visitor sign-in sheets. However, having your employees sign some sheet every time they enter the facilities can annoy them. Thus, you should consider using automated mechanisms to log physical access devices like badge readers or biometric scanners. Regardless, this control requires that you keep a record of entries in the log for audit purposes. Automated systems will log entries, exits, and the card or biometrics used to enter or leave. Thus, you must ensure your mechanism of choice can collect access logs or use a mix of manual and automated systems. These physical access logs should be retained physically or electronically for at least 90 days 

NIST SP 800-171 3.10.5 and CMMC Practice PE.L1 - 3.10.5

Requirement: Control and manage physical access devices

Organizations should identify physical access devices— devices that can be used for restricting access to areas within their facilities. These devices should be documented in an organization’s asset inventory. Additionally, the organization should use written policies and procedures to identify how it intends to control the configuration and maintenance of the physical control devices. This also includes the individuals responsible for these tasks. However, the organization also has to manage who has access capabilities for bypassing access controls these physical access devices are supposed to provide.   

Limit replication of access devices to a small team of authorized personnel or control individuals with management capabilities for logical access control devices. Account for and document badge readers, Locks, cameras, and other physical access control devices. Physical access devices should only be given to individuals requiring regular access to and employed by your organization. However, even when providing physical access devices, you must follow the NIST SP 800-171 Control 3.1.5 on least privilege. Remote employees need not be provided with Physical Access Devices unless they have a valid business need to be in your facilities. More importantly, collect these physical access devices after you terminate employee contracts.  

NIST SP 800-171 3.10.6 and CMMC Practice PE.L2 - 3.10.6

Requirement: Enforce safeguarding measures for CUI at alternate work sites

With work from home or remote working, an organization’s security perimeter has grown considerably. Unfortunately, it is inevitable that, in some instances, your employees will have work they need to carry outside the secure facility. Under this control, you have to account for CUI in alternate work sites and have a policy in place to secure it. Thus, establish clear policies outlining acceptable use of CUI at alternate work sites, including device security requirements, encryption protocols, and restrictions on data sharing. You can achieve this by training your employees on properly handling CUI and developing an alternate worksite CUI policy and standard operating procedures (SOPs) to secure this information. Some of these SOPs include:   

  • Encryption: You can provide encrypted laptops and storage devices to employees working remotely. Ensure all CUI stored or transmitted on devices used at alternate work sites must be encrypted with strong algorithms like AES-256.  
  • Strong Authentication: Enforce strong passwords, multi-factor authentication (MFA), and biometrics where feasible for accessing devices containing CUI.  
  • Secure Networks: Ensure remote workers use secure Wi-Fi networks with strong encryption and avoid public Wi-Fi for CUI access.  
  • Virtualization: Consider virtual desktop infrastructure (VDI) solutions like Azure Virtual Desktop (AVD), where users remotely access secure desktops within your controlled environment, minimizing data exposure on local devices.  
  • Endpoint Security: Use antivirus, anti-malware, and endpoint detection and response (EDR) solutions on devices accessing CUI remotely to protect against cyber threats.  
  • Data Loss Prevention (DLP): Configure DLP solutions to prevent unauthorized data transfers from devices containing CUI, such as blocking USB drives or restricting email attachments.  
  • Mobile Device Management (MDM): Manage and secure mobile devices remotely with MDM solutions to enforce security policies, remotely wipe data if lost or stolen, and track device location.  

Navigating Physical Security in the CMMC Era

While physical security may seem static, the evolving threat landscape and remote work culture demand a dynamic approach. By understanding and meeting the physical security requirements of NIST SP 800-171 and CMMC 2.0, you can build a robust security posture, safeguard CUI, and demonstrate compliance. Are you ready to navigate physical security in the CMMC era? Cleared Systems is your trusted partner for CMMC compliance and cybersecurity solutions. We offer a comprehensive suite of services designed to help you achieve and maintain compliance, including:     

  • Physical security assessments and gap analysis  
  • Development and implementation of physical security policies and procedures  
  • Training and awareness programs for employees  
  • Ongoing support and guidance  

Contact Cleared Systems today to schedule a consultation and learn how we can help you secure your business.  

CMMC 2.0 Physical Protection (PE) FAQs

To safeguard CUI & FCI from unauthorized physical access, tampering, and theft by implementing security measures that restrict physical access to information systems, equipment, and the respective operating environments. These controls ensure that only authorized personnel have access to sensitive information and the physical infrastructure hosting it. 

Organizations can use keys, combination locks, card readers, biometric scanners, keycards, RFID cards, proximity/NFC-enabled cards, to secure their facilities. Such devices only offer protection if you know who has them and what level of access they’re configured to permit. Therefore, you need to carefully manage who can physically access them.  

Authorized individuals are those who have been granted legitimate access to CUI based on their job duties and security clearances. Their specific authorization level determines which areas and data they can access within the physical environment. 

During CMMC 2.0 L1 self assessment, organizational should test their processes for physical access authorizations and the mechanisms supporting or implementing physical access authorizations

Evaluate your physical and environmental protection policy, procedures addressing physical access control, SSP, and physical access control logs or records. Other things to evaluate include inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes and storage locations for physical access control devices. Evaluate the physical access control devices, list of security safeguards controlling access to designated publicly accessible areas within facility, other relevant documents or records 

Ensure all visitors into your facility wear special visitor badges and/or are always escorted by an employee while on the property. Additionally, restrict devices such as mobile phones and pen drives into your facility and monitor visitor actions and movements. 

Share in Social Media

case studies

See More Case Studies

microsoft 365 GCC High

What is GCC High?

Microsoft 365 Government Community Cloud (GCC) High is a specialized cloud solution tailored for U.S. federal, state, local, tribal, and territorial government organizations, as well as for contractors who hold or process data subject to specific security regulations. In this article, we will explore the features, benefits, and differences between Microsoft 365 GCC High and other Office 365 offerings.

Learn more
Contact us

Partner with Us for Compliance & Protection

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?

Schedule an initial meeting


Arrange a discovery and assessment call


Tailor a proposal and solution

How can we help you?