PE.L1-3.10.1 — Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

What this control requires

Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

Source: CMMC L1 v2.13 PE.L1-3.10.1 / FAR 52.204-21(b)(1) / NIST SP 800-171 R2 3.10.1 (official control text).

Why this matters

Physical access controls prevent unauthorized individuals from directly interacting with systems that store, process, or transmit CUI. An unlocked server room or unattended workstation creates an avenue for data theft, sabotage, or malware insertion that bypasses every digital safeguard. This control establishes that only personnel with legitimate business need—verified through badges, keycards, or biometric credentials—can enter areas housing organizational IT equipment. It protects against insider threats, social engineering (tailgating), and opportunistic theft while creating an auditable record of who accessed sensitive spaces.

What evidence assessors expect

Assessors typically look for: photo, CSV export, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls