Many of the NIST controls deal with the logical aspect of access to organizational systems; however, without appropriate controls in place to protect the physical facilities and equipment, the compromise of information systems and CUI is at great risk.

Control and Monitor Physical Access

3.10.1Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
3.10.2Protect and monitor the physical facility and support infrastructure for organizational systems.
3.10.3Escort visitors and monitor visitor activity.

There may be several levels of physical access control required in your organization, the top level being ingress to the main building(s). Business security systems provide not only alarms that will activate if unauthorized access is attempted, but also continuous monitoring services for when alarms are sounded. Incidents of attempted unlawful entry should be treated in keeping with the organization’s Incident Management policies and procedures.

Your organization may have teams that deal with sensitive work such as engineering, production, and testing. These areas should have secondary protection, such as key card or key fob access control.

A robust Visitor Policy should include methods for creating visitor log-in, badges, and escorts at all times. Possible exceptions would be trusted service providers accessing only common areas of the buildings, such as kitchens. Due to ITAR and EAR regulations, special procedures are warranted for non-U.S.-citizen visitors, including personnel sponsorship, advance denied party screening and proof of identity upon arrival. 

Physical protection controls should be included in your organization’s Access Control Policy. Badge Policies and No-Tailgating Policies are others that are recommended, along with the aforementioned Visitor Policy. Achieve maximum protection of these controls and policies through training and awareness campaigns for all personnel.

Control and Monitor Audit Logs and Devices

3.10.4Maintain audit logs of physical access.
3.10.5Control and manage physical access devices.

Audit logs for physical access can include hard copy sign-in sheets and electronic logs for badge readers. Physical access devices may include personnel and visitor badges, installed card readers, and alarm system components.

CUI at Alternate Sites

3.10.6Enforce safeguarding measures for CUI at alternate work sites.

In today’s age of a growing remote workforce, particular care must be taken to ensure that off-site systems containing CUI are protected as effectively as on-site systems. Your organization’s policies and procedures for handling CUI should include measures for protecting off-site information, such as minimum requirements for off-site internet connection, physical protection of laptops, and locked containers for CUI in print or on removable media.

Need Help?

If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.

FoxGuard Solutions delivers reliable, secure, and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities.  With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.

Our services will help guide your organization through the Discovery, Planning, Execution, and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC).  Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements.  An execution plan will be created that aligns with your needs, budget, and timeline, and which outlines a recommended approach to attain CMMC.

As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on-premise and cloud-based solutions to assist you with your compliance needs.

FoxGuard Solutions is ISO 9001 and ISO 27001 certified and is a CMMC Registered Provider Organization

Please visit for more information.