PE.L2-3.10.1 — Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

What this control requires

Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

Source: CMMC L2 v2.13 PE.L2-3.10.1 / NIST SP 800-171 R2 3.10.1 (official control text).

Why this matters

Physical access controls prevent unauthorized individuals from directly tampering with systems that process, store, or transmit CUI. An unlocked server room or unmonitored equipment area creates opportunities for data theft, sabotage, or installation of malicious hardware. This control requires organizations to establish clear boundaries around computing resources—servers, workstations, network equipment, printers, and storage devices—and restrict entry to only those individuals whose job function requires it. Without physical barriers and access verification, all technical security measures can be bypassed by someone who simply walks up to a device.

What evidence assessors expect

Assessors typically look for: photo, PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls