Physical facility access limited to authorized individuals

Why it matters

CMMC 2.0 PE.L1-3.10.1 (NIST 800-171r2 3.10.1) requires limiting physical access to organizational facilities and systems to authorized individuals. Physical access controls are the last line of defense when digital controls are bypassed — an attacker with physical access to a server or workstation can circumvent authentication, extract disk contents, or install hardware keyloggers. This check cannot be evaluated through source code inspection; it requires a physical site audit covering badge/key card access, locked server rooms, and physical security perimeters. Even when this check is skipped in a code-level audit, the underlying CMMC obligation to document and enforce physical controls remains.

Remediation

Document your physical access control procedures in SECURITY.md at the repository root. While code inspection cannot verify physical controls, documentation evidence is reviewed during formal CMMC assessments:

## Physical Security (PE.L1-3.10.1)
- Badge/key card access required at all facility entry points
- Server rooms locked with access restricted to operations personnel
- Physical access list reviewed and updated quarterly
- Unauthorized access incidents reported to security team within 24 hours

Maintain this documentation alongside your System Security Plan (SSP) for CMMC assessment readiness. Physical facility inspection by a C3PAO assessor is required to satisfy PE.L1-3.10.1 — no amount of code configuration substitutes for that assessment.

Detection

ID: gov-cmmc-level-1.physical-protection.facility-access
Severity: info
CMMC Practice: PE.L1-3.10.1
What to look for: This check evaluates physical facility controls that cannot be verified through code analysis and is automatically skipped. Count all physical access control references in documentation files (SECURITY.md, README.md) if present. For full CMMC Level 1 compliance, this practice must be assessed through physical facility inspection covering: badge/key access controls, locked server rooms, physical security perimeter, and access logs for facility entry. At least 1 physical security document should reference this practice.
Pass criteria: This check is automatically skipped because physical facility controls cannot be verified through code inspection alone. However, if a SECURITY.md or physical security documentation file exists, verify it references at least 1 physical access control procedure. Report even on skip: "Physical security documentation status: [present/absent]."
Fail criteria: This check cannot fail through code inspection — it is automatically skipped. Physical facility inspection is required for PE.L1-3.10.1 compliance. Example: "PE.L1-3.10.1 cannot be evaluated through code — requires physical site audit"
Skip (N/A) when: ALWAYS — this check evaluates physical facility controls that cannot be verified through code inspection.
Detail on skip: "Physical protection practice PE.L1-3.10.1 — limit physical access to organizational systems. Outside scope of code-level audit. Assess through physical facility inspection."

Remediation: Document your physical access controls in SECURITY.md or a dedicated physical security policy document:

## Physical Security (PE.L1-3.10)
- Badge access required for all facility entry points
- Server rooms locked with key card access
- Visitor sign-in and escort procedures in place

Why it matters

Remediation

## Physical Security (PE.L1-3.10.1)
- Badge/key card access required at all facility entry points
- Server rooms locked with access restricted to operations personnel
- Physical access list reviewed and updated quarterly
- Unauthorized access incidents reported to security team within 24 hours

Detection

ID: gov-cmmc-level-1.physical-protection.facility-access
Severity: info
CMMC Practice: PE.L1-3.10.1
What to look for: This check evaluates physical facility controls that cannot be verified through code analysis and is automatically skipped. Count all physical access control references in documentation files (SECURITY.md, README.md) if present. For full CMMC Level 1 compliance, this practice must be assessed through physical facility inspection covering: badge/key access controls, locked server rooms, physical security perimeter, and access logs for facility entry. At least 1 physical security document should reference this practice.
Pass criteria: This check is automatically skipped because physical facility controls cannot be verified through code inspection alone. However, if a SECURITY.md or physical security documentation file exists, verify it references at least 1 physical access control procedure. Report even on skip: "Physical security documentation status: [present/absent]."
Fail criteria: This check cannot fail through code inspection — it is automatically skipped. Physical facility inspection is required for PE.L1-3.10.1 compliance. Example: "PE.L1-3.10.1 cannot be evaluated through code — requires physical site audit"
Skip (N/A) when: ALWAYS — this check evaluates physical facility controls that cannot be verified through code inspection.
Detail on skip: "Physical protection practice PE.L1-3.10.1 — limit physical access to organizational systems. Outside scope of code-level audit. Assess through physical facility inspection."

Remediation: Document your physical access controls in SECURITY.md or a dedicated physical security policy document:

## Physical Security (PE.L1-3.10)
- Badge access required for all facility entry points
- Server rooms locked with key card access
- Visitor sign-in and escort procedures in place

Physical facility access limited to authorized individuals

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Physical facility access limited to authorized individuals

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History