The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Physical Security Requirements: All 6 Controls, Mapped by Level

By The Defense Compliance Report Editorial Team · Last reviewed July 2026 · Last verified July 17, 2026· Not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, or NIST.

If you’re staring at the Physical Protection section of your CMMC workbook wondering whether a locked door and a sign-in sheet are enough — here’s the short version, before you scroll.

The CMMC physical security requirements live in the Physical Protection (PE) family of NIST SP 800-171 Revision 2, §3.10— the standard that defines the 110 Level 2 security requirements. There are six of them, numbered 3.10.1 through 3.10.6. Level 1 (for Federal Contract Information, or FCI) requires two grouped physical practices. Level 2 (for Controlled Unclassified Information, or CUI) requires all six.

Now the part almost nobody tells you: under the CMMC rule (32 CFR Part 170), five of the six Level 2 physical controls cannot be placed on a POA&M. They have to be fully met the day you’re assessed. Physical security looks like the easy domain. On the rulebook, it’s one of the least forgiving. We’ll show you exactly which five, why, and what to do about each one — with the primary source next to every claim, so you can check our work.

The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice. Your contract clause and your CUI handling set your level — not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP) or Registered Provider Organization (RPO), or a qualified federal-contracts attorney.

What applies to me? (Start here)

Your situationPhysical protection requirement setAssessment context right now
FCI only (Level 1)2 grouped practices — PE.L1-b.1.viii and PE.L1-b.1.ixLevel 1 self-assessment, annual, when your contract requires it
CUI (Level 2)6 requirements / 16 objectives — PE.L2-3.10.1 through 3.10.6Level 2 (Self) is the only Level 2 designation permitted during the suspension
Level 3 programSame 6 as Level 2; no added physical controlsNew Level 3 DIBCAC designations are paused during the suspension

Two things this table settles: Level 1 has two physical practices, not four(we’ll explain the confusion below), and Level 3 adds nothing physical (NIST SP 800-172 has no Physical Protection enhancements).

The one honest thing most CMMC vendors won’t lead with

CMMC does not hand you a universal physical-security shopping list. No rule says every contractor must install cameras, electronic badge readers, alarms, or guards. For a small single-office shop, physical security is often the cheapest domain in the entire framework — a lockable server cabinet, a visitor log, an access roster, and a documented list of who holds keys can satisfy several requirements at minimal cost.

But that flexibility is exactly why physical security trips people up. Two things turn the “easy” domain into a real problem:

  1. Control 3.10.6, alternate work sites.The moment you have remote employees, home offices, or people working at customer sites, your physical scope stops being “the building” and starts being “everywhere CUI can be seen.”
  2. You can’t defer most of it.Five of the six Level 2 controls can’t go on a POA&M. A thin implementation that fails at assessment can’t be quietly fixed after the fact.

Do CMMC Level 1 and Level 2 have the same physical security requirements?

No. Level 1 applies two grouped Physical Protection practices to FCI, evaluated through 10 objectives. Level 2 applies all six §3.10 requirements to CUI, evaluated through 16 objectives. Level 3 requires the same six as Level 2 and adds no new physical controls, because NIST SP 800-172 has none in the Physical Protection family. Your contract clause sets which level applies — a checklist can’t assign it for you.

NIST 800-171 controlLevel 1 (FCI)Level 2 (CUI)Level 3
3.10.1 — Limit physical access✅ as PE.L1-b.1.viii✅ PE.L2-3.10.1✅ (unchanged)
3.10.2 — Protect & monitor facility/infrastructure❌ not required✅ PE.L2-3.10.2✅ (unchanged)
3.10.3 — Escort visitors✅ folded into PE.L1-b.1.ix✅ PE.L2-3.10.3✅ (unchanged)
3.10.4 — Physical access logs✅ folded into PE.L1-b.1.ix✅ PE.L2-3.10.4✅ (unchanged)
3.10.5 — Manage access devices✅ folded into PE.L1-b.1.ix✅ PE.L2-3.10.5✅ (unchanged)
3.10.6 — Alternate work sites❌ not required✅ PE.L2-3.10.6✅ (unchanged)
Total2 practices / 10 objectives6 requirements / 16 objectives6 (no additions)

Why you’ll see “four Level 1 controls” everywhere — and why it’s wrong now

If you’ve read a few articles already, you’ve probably seen physical security at Level 1 described as fourcontrols. That was the old numbering. Under the current CMMC Level 1 Self-Assessment Guide, the DoD consolidated three of those — escort visitors, maintain access logs, and manage access devices — into a single practice: PE.L1-b.1.ix, “Manage Visitors & Physical Access.” So Level 1 has twophysical practices (10 objectives total: four under b.1.viii, six under b.1.ix) — not four. If a page still lists four separate PE.L1-3.10.x controls, it’s using pre-consolidation labels.

Why Level 2 has six and Level 3 adds nothing

At Level 2, CMMC uses the NIST control numbering directly and does not consolidate 3.10.3/3.10.4/3.10.5 — so you get all six. Level 2 adds exactly two controls that Level 1 doesn’t require: 3.10.2 (protect and monitor the facility and its support infrastructure) and 3.10.6 (safeguard CUI at alternate work sites).

Level 3 layers on selected enhanced requirements from NIST SP 800-172 to defend against advanced persistent threats. But 800-172 states plainly that four families — including Physical Protection — contain no enhanced requirements. So a Level 3 contractor’s physical security obligations are identical to Level 2’s.

Primary sources: NIST SP 800-171 Rev. 2, §3.10; FAR 52.204-21(b)(1)(viii)–(ix); CMMC Level 1 and Level 2 Assessment Guides; NIST SP 800-172.


Do CMMC physical security requirements require cameras, badges, or guards?

No universal CMMC requirement mandates cameras, electronic badge readers, alarms, or security guards. The official Level 2 Assessment Guide presents those as possible implementation examples. The actual obligation is an outcome: limit access, protect and monitor the facility, escort and monitor visitors, log physical access, manage access devices, and safeguard CUI at alternate sites — using whatever method genuinely achieves each one and can be evidenced.

ItemOfficial statusWhat's actually requiredWhat it can help proveWhat it does NOT prove by itself
Security camerasOptional example of monitoringFacility and applicable infrastructure must be protected and monitoredRecorded or watched activity at chosen pointsAn access-authorization list, visitor escort, device management, or that footage is ever reviewed
Electronic badge readersOptional methodAccess must be limited, logged, and managedEntry records, zones, fast revocationThat every protected area is correctly scoped, or that visitors are escorted
Security guardsOptional example of monitoringThe chosen monitoring method must actually workLive observation and responseComplete access logs or a device inventory
Alarms/sensorsOptional exampleFacility and support infrastructure must be monitoredDoor, tamper, or environmental alertsThat anyone reviews and acts on the alerts
Paper sign-in logPermitted procedural methodPhysical access records must be maintainedWho entered, when, who escortedConsistent use, unless records and a test back it up
Electronic access logPermitted automated methodPhysical access records must be maintainedEntry events, credential identityVisitor purpose or escort activity, unless integrated
Keys & mechanical locksRecognized access devicesDevices must be identified, controlled, managedThat access is restrictedWho used a shared key, without another control
A fixed retention period (90 days, 1 year)Example/convention, not a ruleYou must define and follow a retention periodHistorical retrievalThat any specific number is required

Cameras and badges can be smart choices — for multiple entry points, larger workforces, high turnover, or when you want searchable records. But installing them proves nothing on its own if you have no authorized-access list, shared door codes, no visitor escort process, or no key inventory. Assessors evaluate the outcome and the evidence, not the hardware receipt.

Primary source: CMMC Level 2 Assessment Guide, §3.10.2, §3.10.4, §3.10.5 discussions.


Which CMMC physical security controls can go on a POA&M?

Under 32 CFR 170.21, five of the six Level 2 physical controls cannot be placed on a Plan of Action and Milestones (POA&M) to reach Conditional Level 2 status. Controls 3.10.1 and 3.10.2 are worth 5 points each, and only 1-point controls are POA&M-eligible; controls 3.10.3, 3.10.4, and 3.10.5 are named exclusions in the rule. Only 3.10.6 is potentially deferrable. At Level 1, no POA&M is permitted at all — every practice must be Met.

Worth noting: while checking this, we found at least two widely-cited industry pages listing the wrong excluded control — they say 3.10.6; the regulation names 3.10.5.That’s precisely the kind of error a primary source catches.

ControlPoints if Not MetPOA&M eligible?Why
PE.L2-3.10.1 — Limit physical access5NoOver 1 point — 32 CFR 170.21(a)(2)(ii)
PE.L2-3.10.2 — Protect & monitor facility5NoOver 1 point — 32 CFR 170.21(a)(2)(ii)
PE.L2-3.10.3 — Escort visitors1NoNamed exclusion — 32 CFR 170.21(a)(2)(iii)(D)
PE.L2-3.10.4 — Physical access logs1NoNamed exclusion — 32 CFR 170.21(a)(2)(iii)(E)
PE.L2-3.10.5 — Manage access devices1NoNamed exclusion — 32 CFR 170.21(a)(2)(iii)(F)
PE.L2-3.10.6 — Alternate work sites1PotentiallyOnly PE control not otherwise excluded — but still subject to 0.80 score threshold and 180-day closeout

Physical Protection is a terrible family to postpone.Contractors reach assessment assuming they can clean up the “facilities stuff” afterward, and then discover the rule won’t let them for five of these six controls.

Primary sources: 32 CFR 170.21 (POA&M requirements); 32 CFR 170.24 (Scoring Methodology); NIST SP 800-171 DoD Assessment Methodology (point values). Verified against the eCFR text on July 17, 2026.


What does each physical protection control actually require?

Each of the six controls is short, but the Level 2 assessment breaks them into 16 specific objectives, and an assessor uses three methods to check them: examine (documents and records), interview (your people), and test (does the safeguard actually work). A policy alone never passes. The evidence has to be final — an approved procedure backed by real operating records, someone who can explain it, and a mechanism that demonstrably works.

The DCR Physical Protection Evidence Matrix (16 objectives)

Objective statements from the CMMC Level 2 Assessment Guide (incorporating NIST SP 800-171A); the evidence and “assumption that fails you” columns are editorial implementation guidance, not prescribed artifacts.

ObjectiveWhat must be trueEvidence an assessor typically examinesThe assumption that fails you
3.10.1[a]The people allowed physical access are identifiedApproved access roster; authorization requests; role approvals; periodic review records"Everyone who works here is automatically authorized"
3.10.1[b]Physical access to systems is limited to those peopleControlled-area map; door/room rules; lock or badge configuration"The exterior lock proves every system inside is protected"
3.10.1[c]Physical access to equipment is limitedEquipment-location inventory; server/network closet controls; printer placement"Only servers count as equipment"
3.10.1[d]Physical access to operating environments is limitedFacility boundary; public-vs-controlled zone map; sensitive-area designation"The whole building is automatically one controlled boundary"
3.10.2[a]The facility housing systems is protectedPhysical-protection procedure; door/window safeguards; inspection and incident records"A camera by itself protects the facility"
3.10.2[b]Support infrastructure is protectedWiring/power/network-closet inventory; facility diagrams; lock and inspection records"Support infrastructure means only the server room"
3.10.2[c]The facility is monitoredMonitoring procedure; guard/reception records; access reviews; surveillance-review records"Recording footage nobody reviews counts as monitoring"
3.10.2[d]Support infrastructure is monitoredInspection schedule; tamper reviews; alarm records; documented facility checks"A locked closet automatically proves monitoring"
3.10.3[a]Visitors are escortedVisitor procedure; escort assignment; sign-in records; staff training"People we know aren't visitors"
3.10.3[b]Visitor activity is monitoredEscort records; visitor-area restrictions; review and incident records"A visitor badge alone proves activity was monitored"
3.10.4[a]Physical access logs are maintainedPaper logs or badge exports; employee/visitor records; retention procedure"You must have an electronic badge platform"
3.10.5[a]Physical access devices are identifiedInventory of keys, locks, combinations, cards, badges, readers"Only electronic badges are 'access devices'"
3.10.5[b]Physical access devices are controlledIssuance approvals; key receipts; access-group assignments; secure spare-key storage"Keeping a list is the same as controlling issuance"
3.10.5[c]Physical access devices are managedReturn records; revocation records; rekey/code-change history; periodic reconciliation"Access devices only matter when first issued"
3.10.6[a]Safeguards for alternate work sites are definedRemote-work standard; approved site types; storage/printing/viewing rules"VPN and MFA alone define the physical safeguards"
3.10.6[b]Alternate-work-site safeguards are enforcedTraining; attestations; approvals; manager checks; exception records"Publishing a remote-work policy proves enforcement"

PE.L2-3.10.1 — Limit physical access to systems, equipment, and operating environments

This is the foundation, and it’s a 5-point control, so it has to be Met. The requirement isn’t “have a lock.” It’s: identify who’s authorized, then limit access to your systems, equipment, and the environments they live in to those people. Draw a boundary between your public areas and your controlled areas. Keep an approved list of who can enter. Enforce it with barriers — badge readers, keyed locks, biometrics, whatever fits. Where it fails:contractors point to the front door and forget that “equipment” includes the networked printer in the shared hallway and the switch in the unlocked closet.

Likely owners: Facilities and IT, with HR for the authorization list.

PE.L2-3.10.2 — Protect and monitor the facility and support infrastructure

Also 5 points, also non-deferrable. Two separate outcomes hide in one sentence: you must protect the facility and its support infrastructure, and you must monitorthem. Support infrastructure is the part people miss — wiring closets, network cabling, power distribution. Lock the wiring closet, protect exposed cable runs, and have a real way to notice unauthorized or abnormal access, whether that’s a guard, reception, alarms, or reviewed camera footage. Where it fails:treating “monitoring” as a box you check by owning a camera, when nobody actually reviews anything.

Likely owners: Facilities, with IT identifying what infrastructure is in scope.

PE.L2-3.10.3 — Escort visitors and monitor visitor activity

A 1-point control that the rule specifically bars from POA&M — so it must be Met. Note the “and”: you escort visitors andyou monitor their activity. A visitor badge helps identify someone, but it doesn’t satisfy the escort objective on its own. Build a process: who’s a visitor, how they sign in, who escorts them, where they’re allowed, and how their activity is monitored. Where it fails:“we know that person, so they’re not really a visitor.” The rule doesn’t work that way.

Likely owners: Front desk and Facilities.

PE.L2-3.10.4 — Maintain audit logs of physical access

The single-objective control — and a non-deferrable one. You keep records of physical access. The method is yours: a paper log at reception, an electronic badge-system export, or a combination. The guide is explicit that written, automated, or combined logs are all acceptable. What matters is that the log captures the physical access events relevant to your boundaries, stays current, and can be retrieved. Where it fails:assuming CMMC forces you into an electronic badge platform. It doesn’t — a consistently kept paper log can satisfy this control.

Likely owners: Facilities or Security; IT if the logs are electronic.

PE.L2-3.10.5 — Control and manage physical access devices

Three objectives, and the rule bars it from POA&M. “Access devices” is broader than badges — it means keys, locks, combinations, cards, and readers. You have to identify them (an inventory), control them (an approval process to issue them, plus secure storage for spares), and managethem across their whole life — including reclaiming or disabling them when someone leaves or changes roles. This is where physical and digital offboarding have to agree. Where it fails:keeping an inventory but never proving that a departed employee’s key was returned or a shared door code was changed.

Likely owners: Facilities and HR, with IT for electronic credentials.

PE.L2-3.10.6 — Enforce safeguards for CUI at alternate work sites

The sleeper. Two objectives — you must both define and enforcesafeguards for alternate work sites — and it’s the one PE control that’s potentially POA&M-eligible. “Alternate work site” includes employees’ homes, customer sites, and government facilities. The safeguards can differ by situation, but a generic telework policy or a secure VPN connection does not, by itself, prove the physical component. Where it fails: treating a written remote-work policy as evidence of enforcement, with nothing showing the policy is actually followed.

Likely owners: Compliance, HR, IT, and front-line managers.

Primary sources: CMMC Level 2 Assessment Guide, §3.10.1–§3.10.6 (incorporating NIST SP 800-171A assessment objectives).


How do CMMC physical security requirements apply to remote workers and home offices?

Remote work is not automatically out of scope, and a camera in someone’s home is not a universal requirement. Control 3.10.6 requires you to define and enforce safeguards for CUI at alternate work sites — including home offices. If CUI can be viewed, stored, or printed at a kitchen table, your System Security Plan (SSP) has to say how it’s protected there, and you need evidence the safeguards are actually followed.

For digital-only remote work (people accessing CUI through a virtual desktop or browser, with nothing stored locally), the physical safeguards are mostly about the workspace: block local downloads, restrict printing, keep screens from prying eyes, lock devices when unattended, and define approved work locations. Evidence comes from device configuration plus employee practice you can demonstrate.

For remote work that involves paper (someone prints a CUI drawing at home), the bar goes up: approved printing rules, locked storage, controlled disposal, rules about who else in the household can access the space, and a real answer to the camera-phone problem.

What proves enforcement in practice:

What you should not claim:

Primary source: CMMC Level 2 Assessment Guide, §3.10.6; NIST SP 800-46 and SP 800-114 for telework context.


What changes in a leased office, shared building, cloud environment, or shop floor?

The same six controls apply, but the evidence questions change with your environment. A landlord’s building controls or a cloud provider’s data-center security can support your case — but they don’t automatically prove your objectives. You have to define the boundary, document what someone else operates, show what you control inside it, and keep evidence for inherited, shared, and retained responsibilities.

EnvironmentBoundary question to answer firstHighest-risk PE evidenceThird-party evidence to obtainCommon mistake
Owner-occupied officeWhich rooms and equipment are in scope?Access roster, locks/zones, visitor process, logs, key managementAlarm/security-provider records if you rely on themTreating the front door as proof for every interior area
Leased suite, shared lobbyWhere does the landlord's control end and yours begin?Suite access, interior controlled areas, visitor handoffLease terms, building procedures, badge reports, a responsibility statementAssuming the building's controls prove your objectives
Manufacturing / machine shopWhere are terminals, drawings, printers, and controllers exposed?Shop-floor zoning, visitor routes, equipment access, paper handlingCustomer or landlord controls where relevantSecuring the office while leaving shop-floor CUI exposed
Cloud enclave + ordinary officeDoes any local device, screen, printer, or download create a physical exposure?Endpoint placement, printing limits, workspace rules, inherited data-center controlsCloud provider's customer responsibility matrix and assurance packageAssuming "we're in the cloud" makes all PE controls N/A
Fully remote workforceWhat locations are approved, and what can happen there?Alternate-site standard, no-print rules, visual privacy, secure storage, enforcementCloud and managed-service responsibility evidenceTreating VPN/MFA/VDI as complete physical safeguards
Customer / government siteWho controls the facility, and what's still on you?Site authorization, host rules, portable equipment, worker conductHost-site procedures or contractual responsibility evidencePointing to the host's program without documenting what you retain

Moving CUI into a compliant enclave inherits the data center’s physical protections, but it doesn’t erase your local exposures — the laptop, the screen, the printer, the download. “We’re all cloud” is a scoping conversation, not an automatic exemption.

Primary sources: CMMC Level 2 Assessment Guide, §3.10; Cyber AB CMMC Assessment Process (CAP) v2.0.


Do paper drawings, printers, and hard-copy CUI change the answer?

Yes. Paper CUI creates real physical protection obligations even when it never touches a computer. Under the official DoD CMMC Program FAQ, an organization that handles only hard-copy CUI is not required to complete a CMMC assessment — but it must still safeguard that paper under DoDI 5200.48. And the moment paper CUI is scanned, photographed, emailed, uploaded, printed, or entered into a system, that system comes into CMMC scope before the CUI touches it.

If you handle both paper and digital CUI, a single assessment covers both. What this means for your physical program:

Primary sources: DoD CMMC Program FAQ (hard-copy CUI answer); DoDI 5200.48, paragraph 1.1(b). Verified July 17, 2026.


How long do you have to keep CMMC visitor and physical access logs?

CMMC does not set a universal 90-day or one-year retention period for physical access logs (3.10.4). The Level 2 Assessment Guide tells you to retain access records for the period your company defines. So set a defensible period, align it with your contractual, legal, and privacy obligations, and be able to show the logs actually follow it.

If you’ve seen “keep 90 days” or “keep one year” stated as a CMMC rule, it isn’t one — those are conventions or examples, not requirements. One practical note: physical access logs contain employee and visitor personal information, so retain what’s operationally and contractually justified, restrict who can see the logs, and apply your normal records-management and privacy obligations. More is not automatically better.

Primary source: CMMC Level 2 Assessment Guide, §3.10.4 discussion.


Will a C3PAO physically walk through our facility?

A Level 2 certification assessment can include in-person validation of selected physical objectives — an assessor confirming that what your SSP describes actually exists. But the CMMC Assessment Process lets the C3PAO and the organization work out evidence-collection logistics during planning, including which objectives are checked virtually versus in person. Don’t promise yourself a universal walkthrough, and don’t assume a cloud-heavy or fully remote company avoids all physical validation. And remember: during the current suspension, new Level 2 C3PAO designations are paused, so confirm your actual assessment path before you plan around it.

The accurate version is that it’s planned. The CAP calls for deliberate virtual-versus-in-person decisions for a number of objectives, several of them in the PE family. What you should be able to demonstrate, in person or on screen, is consistent: your boundary, your controlled entry points, your protected systems and infrastructure, your visitor process, your logs, your key and badge lifecycle, your remote-work safeguards — and that all of it matches your SSP.

Primary source: Cyber AB CMMC Assessment Process (CAP) v2.0; DoD suspension memorandum (July 2026) for current assessment-path limits.


The fastest defensible way to close your Physical Protection gaps

Start with scope and objectives, not a hardware quote. Map your real facilities and alternate work sites, test all 16 objectives, fix the five non-deferrable controls first, implement safeguards that fit your environment, and build operating evidence before you mark anything Met. Then route whatever you can’t close internally to the right provider category.

  1. Confirm the contract, data, and level.Identify your clauses, whether you handle FCI or CUI, and whether the requirement is even current. The contract sets your level — don’t let a checklist assign it.
  2. Draw the physical boundary. Entrances, public areas, controlled areas, systems, equipment, support infrastructure, printers, paper storage, the visitor route, and every alternate site.
  3. Inventory your access mechanisms. Keys, locks, codes, badges, readers, alarms, cameras (if used), reception or guards, and any shared building controls.
  4. Map each of the 16 objectives to evidence. Use the matrix above. For each objective, name the document, the record, the person who can explain it, and the test.
  5. Fix the non-deferrable controls first,in this order: 3.10.1, then 3.10.2, then 3.10.3, 3.10.4, 3.10.5. This reflects POA&M eligibility and point value; 3.10.6 still matters, it’s just the one you can stage.
  6. Make it operational. Approve the procedures, train the owners, start producing records, reconcile physical and digital offboarding, and update the SSP so it matches reality.
  7. Run a mock examine–interview–test. For each objective: What final document proves the design? What recurring record proves it operates? Who can explain it? What can you demonstrate? Does the SSP match? Is the evidence current?

What we actually verified

We think a page that tells you how to spend six figures should show its work — including its limits.

Verified against primary sources on July 17, 2026:

What we did not verify, and you should confirm:

This page is educational research, not legal, contractual, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) or a qualified federal-contracts attorney. See our methodology, editorial standards, and corrections policy for how we source and update this work.


Frequently asked questions about CMMC physical security requirements

How many physical security controls does CMMC have?
Six, in the Physical Protection (PE) family of NIST SP 800-171 Revision 2 (controls 3.10.1 through 3.10.6). CMMC Level 1 groups them into two practices for FCI; Level 2 requires all six for CUI, evaluated through 16 objectives; Level 3 adds none.
Is physical security part of CMMC Level 1?
Yes. Level 1 has two Physical Protection practices — PE.L1-b.1.viii (limit physical access) and PE.L1-b.1.ix (manage visitors and physical access, which combines visitor escort, access logs, and access-device management). They come from FAR 52.204-21(b)(1)(viii) and (ix).
Does CMMC require security cameras?
No universal requirement mandates cameras. The CMMC Level 2 Assessment Guide lists cameras as one example of how facility monitoring can be done. Guards, reviewed logs, sensors, or reception can also satisfy the monitoring objective.
Does CMMC require electronic badge readers?
No. Written logs, automated records, or a combination are all acceptable for the physical access log requirement, as long as your method satisfies the objectives and can be evidenced.
Are visitor badges required?
A badge can help identify a visitor, but it doesn't by itself satisfy control 3.10.3, which requires that visitors be escorted and their activity monitored.
Do employees have to sign in and out?
Not necessarily through a paper sheet. You must maintain relevant physical access logs (3.10.4), and your chosen procedural, automated, or combined method must produce defensible, retrievable records.
Do mechanical keys count as physical access devices?
Yes. The Level 2 Assessment Guide identifies keys, locks, combinations, and card readers as examples of physical access devices you must identify, control, and manage under 3.10.5.
Can a fully remote company mark all Physical Protection controls Not Applicable?
Not automatically. Applicability depends on cloud inheritance, local endpoints, printing, screens, alternate work sites, paper, and other retained responsibilities — and control 3.10.6 (alternate work sites) specifically reaches remote work.
Does a landlord's building badge system satisfy CMMC?
It can provide inherited or supporting evidence, but you must still document the boundary, the landlord's responsibilities, your responsibilities, visitor handoff, and any interior controlled areas you operate.
How long should physical access logs be retained?
For the period your company defines and consistently follows, subject to your other contractual, legal, and privacy requirements. CMMC does not impose a universal retention period (per the Level 2 Assessment Guide, §3.10.4).
Is control 3.10.6 a Level 3 requirement?
No. It's a Level 2 requirement in the current model that also carries into Level 3. NIST SP 800-172 adds no physical protection requirements.
Which PE controls can't go on a Conditional Level 2 POA&M?
Controls 3.10.1 through 3.10.5 cannot. Controls 3.10.1 and 3.10.2 are 5-point controls (over the 1-point limit); 3.10.3, 3.10.4, and 3.10.5 are named exclusions in 32 CFR 170.21. Only 3.10.6 is potentially eligible, subject to the overall score threshold and 180-day closeout.
Should we assess against NIST SP 800-171 Revision 2 or Revision 3?
For CMMC Level 2, the current rule still incorporates Revision 2, even though NIST has published Revision 3 and withdrawn Revision 2 as a general publication. Unless and until the CMMC rule is amended, Revision 2 is the controlling baseline (32 CFR Part 170).
Is paper-only CUI exempt from protection?
No. Under the DoD CMMC Program FAQ, handling only hard-copy CUI means you're not required to complete a CMMC assessment — but you must still safeguard the paper under DoDI 5200.48.
Can scanning a paper drawing change our scope?
Yes. Per the DoD CMMC Program FAQ, scanning, photographing, uploading, printing, entering, or emailing paper CUI brings the receiving system into applicable CMMC assessment scope before the CUI is placed on it.
Does the July 2026 Phase II suspension eliminate DFARS 252.204-7012 duties?
No. The implementing memorandum states those safeguarding obligations remain in effect where the clause applies. The suspension paused third-party assessments, not the underlying security requirements.
Will an assessor inspect an employee's home?
There's no universal answer. You must show that alternate-site safeguards are defined and enforced; the exact evidence method is resolved during assessment planning under the CMMC Assessment Process.
Who should confirm our final scope?
A qualified CMMC Registered Practitioner (RP) or Registered Provider Organization (RPO), and a federal-contracts attorney where contractual interpretation is involved. A C3PAO should stay independent from your implementation work when it acts as your formal assessor.

Your next step

What you do next depends on where your gap actually is. If you’re unsure about your level or scope, that’s a readiness conversation. If you know your gaps but lack the internal time, that’s implementation or managed compliance. If you’re ready to be assessed, that’s a C3PAO — kept separate from whoever helped you get ready.

Physical Protection is one of the few CMMC domains a small, single-site contractor can genuinely handle in-house. If that’s you, take the evidence matrix above and go. But if remote work, multiple sites, a shop floor, or a Not Met in one of the two 5-point controls has turned this into a real decision, don’t guess your way through a stack of vendor quotes.

Disclosure

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Independence

The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page provides educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner/Registered Provider Organization or a qualified federal-contracts attorney.

Sources (primary and authoritative)

  • NIST SP 800-171 Revision 2, §3.10 Physical Protection — the Level 2 control set
  • NIST SP 800-171A — assessment objectives incorporated into the CMMC Level 2 Assessment Guide
  • NIST SP 800-172 — confirms no Physical Protection enhancements for Level 3
  • 32 CFR Part 170 — CMMC Program Rule. §170.21 (POA&M) and §170.24 (Scoring Methodology)
  • FAR 52.204-21(b)(1)(viii)–(ix) — Level 1 physical practices
  • DFARS 252.204-7012 — safeguarding covered defense information
  • CMMC Level 1 and Level 2 Assessment Guides — DoD CIO
  • CMMC Assessment Process (CAP) v2.0 — Cyber AB
  • DoD CMMC Program FAQ — hard-copy CUI answer
  • DoDI 5200.48, paragraph 1.1(b) — safeguarding of CUI, including hard copy
  • Department of Defense, “Forging the Arsenal of Freedom: Department of Defense Suspends CMMC Phase II Requirements,” July 13, 2026, and implementing suspension memorandum signed by DoD CIO Kirsten Davies

Regulatory facts on this page were verified against the sources above on July 17, 2026. Phases and rules change — we re-verify the suspension status, rule versions, and scoring provisions on a recurring basis and update the “Last reviewed” date when we do.