3.10.1 — Lock the Doors

The One-Liner

If anyone can walk into your server room, your physical security is nonexistent.

What It Says

Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

What It Actually Means

Server rooms, wiring closets, CUI work areas — locked and access-controlled. Not everyone gets a badge or key. The assessor checks: Is there a list of authorized people? Are access controls enforced (badge readers, locks)? Can unauthorized people get in?

This covers three things independently: access to systems (servers, workstations), access to equipment (network gear, printers in CUI areas), and access to operating environments (the rooms and spaces where CUI is handled). Output devices like printers must be placed where unauthorized people can’t see printouts.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are authorized individuals identified?	Named access list for each secured area
2	Is physical access to systems limited?	Server room locked, badge access, list maintained
3	Is physical access to equipment limited?	Network closets locked, CUI printers in controlled areas
4	Is physical access to operating environments limited?	CUI work areas access-controlled

---

What to Have Ready on Assessment Day

Documents they’ll review: Physical and environmental protection policy; physical access authorization procedures; authorized access lists per area; system security plan; badge reader configuration; key distribution records

People they’ll talk to: Personnel with physical access responsibilities; information security personnel

Live demos they’ll ask for: “Show me the server room — is it locked?” “Who has badge access? Show me the list.” “Are CUI printers in controlled areas?” “Walk me through the access request process.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me the physical access list for the server room.”
• “Is the server room locked? Show me.”
• “Are CUI printers in controlled areas?”
• “How do you add or remove someone from the access list?”

Real-World Example

A defense contractor’s server room requires badge access — the badge reader logs every entry. Four people have access: two sysadmins, the IT Security Lead, and the facilities manager. The CUI printer is inside the CUI work area (also badge-controlled). The access list is reviewed quarterly. The assessor checks the badge reader, reviews the access list, and verifies the printer location.

---

Where Companies Trip Up

Unlocked server room. Door propped open or lock broken. Fix immediately.

Everyone has access. All employees badge into all areas. Restrict to need-to-know per area.

No access list. Doors locked but no record of who has access. Maintain named access lists per area.

CUI printer in open area. Printouts visible to unauthorized people. Move the printer or restrict the area.

---

How to Talk About This

To a CEO or Board

Server rooms and CUI areas are locked and access-controlled. Only authorized personnel enter. Access lists are reviewed quarterly.

To an Engineering Team

Badge access on server room and CUI work areas. Named access lists per area. Quarterly review. CUI printers in controlled areas. Badge logs retained 90+ days.

---

Connected Requirements

Requirement	Why it matters here
3.10.2 — Watch the Building	Monitoring complements access control
3.10.3 — Escort Every Visitor	Visitor controls for CUI areas
3.10.4 — Log Physical Access	Audit logs of who accessed secured areas

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: PE.L2-3.10.1 | SPRS Weight: 5 points | POA&M Eligible: No