>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.10.1Physical Protection - Basic

Basic Requirement

>Control Description

Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

>Discussion

This requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors. Authorized individuals have credentials that include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, directives, policies, regulations, standards, procedures, and guidelines.

This requirement applies only to areas within facilities that have not been designated as publicly accessible. Limiting physical access to equipment may include placing equipment in locked rooms or other secured areas and allowing access to authorized individuals only; and placing equipment in locations that can be monitored by organizational personnel. Computing devices, external disk drives, networking devices, monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of equipment.

>Cross-Framework Mappings

CMMC

PE.L1-3.10.1
Compare

SCF

PES-02
Compare
PES-02.1
Compare
PES-03.4
Compare
PES-12
Compare
PES-12.1
Compare
PES-12.2
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern limiting physical access to CUI systems?
  • What procedures define physical access authorization?
  • Who approves physical access to facilities containing CUI systems?
  • How often are physical access permissions reviewed?
  • What governance ensures only authorized personnel have physical access?

Technical Implementation:

  • What physical access controls protect CUI system facilities?
  • How do you implement badge readers, locks, or biometric access?
  • What visitor management systems control temporary access?
  • How do you monitor physical access to CUI areas?
  • What intrusion detection systems protect physical perimeters?

Evidence & Documentation:

  • Can you provide physical access authorization lists?
  • What logs track physical access to CUI facilities?
  • Can you demonstrate physical access controls (locks, cameras)?
  • What visitor logs and escort records exist?
  • What audit evidence verifies physical access control compliance?

Ask AI

Configure your API key to use AI features.