Got questions? Contact our team today for a free CMMC Consultation
3.10.1
Limit physical access to organizational information systems, equipment, and the respective operating environments to only authorized individuals. This includes enforcing access badges, visitor check-ins, facility escort procedures, and access logs.
More details Less details
+ —
Relevant NIST SP 800-53 R5
PE-2: Access authorization and policy enforcement
PE-4: Detection of unauthorized access
PE-5: Protection of system cabling and lines
PE-6: Internal zone access monitoring
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(Supports digital access enforcement. For physical access, facilities must implement physical security controls such as card readers, locks, and surveillance.)
3.10.2
Protect and continuously monitor physical access to organizational facilities and support infrastructure where CUI is stored, processed, or transmitted. Include mechanisms such as badge readers, security cameras, physical access logs, and response procedures.
More details Less details
+ —
Relevant NIST SP 800-53 R5
PE-2: Physical access authorizations
PE-4: Access monitoring and detection of unauthorized access
PE-5: Protection of transmission lines
PE-6: Internal access monitoring
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(Covers digital access controls. A formal physical access policy and environmental monitoring system must be implemented separately.)
3.10.3
Ensure all visitors are escorted and their activities are monitored while in areas where CSUI is processed or stored. Maintain logs of visitor entry and exit.
More details Less details
+ —
Relevant NIST SP 800-53 R5
PE-3: Control physical access to facilities and information systems
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(Provides digital identity management, but physical monitoring/logging must be implemented via physical access control systems like visitor management kiosks or front desk logs)
3.10.4
Maintain audit logs and physical access records of individuals who access CUI and validate those records against authorized entry lists. Apply access control mechanisms such as ID badges, access cards, or biometric scanners.
More details Less details
+ —
Relevant NIST SP 800-53 R5
PE-2: Physical Access Authorizations
PE-6: Monitoring Physical Access
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(for audit and identity management; physical security controls require complementary facility-based systems)
3.10.5
Control and manage physical access devices (e.g., keycards, biometric readers, access tokens) to prevent unauthorized physical access to organizational systems and facilities. Assign access privileges and review them periodically.
More details Less details
+ —
Relevant NIST SP 800-53 R5
PE-3: Control physical access to facilities and information systems
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(supports digital access enforcement; physical access requires supplemental policy and facility controls)
3.10.6
Enforce safeguarding measures for CUI at alternate work sites, including physical controls (e.g., locked doors, visitor restrictions) and digital protections (e.g., encryption, VPNs). Ensure personnel are trained to handle CUI securely outside the primary facility.
More details Less details
+ —
Relevant NIST SP 800-53 R5
PE-17: Establish security controls for alternate work sites
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes data protection tools like Microsoft Purview Information Protection, Microsoft Intune for device compliance, and policy-based access control for remote environments)
Contact our team today
See how Agile IT's MSP for CMMC can strengthen your data security and allow your team to focus on your business's objectives and success.
Schedule a FREEconsultation