03.10.01 — (a) Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides. (b) Issue authorization credentials for facility access. (c) Review the facility access list {{ insert: param, A.03.10.01.ODP.01 }}. (d) Remove individuals from the facility access list when access is no longer required.

What this control requires

(a) Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides. (b) Issue authorization credentials for facility access. (c) Review the facility access list {{ insert: param, A.03.10.01.ODP.01 }}. (d) Remove individuals from the facility access list when access is no longer required.

Source: NIST SP 800-171 R3 §03.10.01 (official control text).

Why this matters

Physical access controls prevent unauthorized individuals from tampering with systems that store or process sensitive federal contract information. An attacker who gains physical access to servers, workstations, or network equipment can bypass virtually all software security controls—extracting data, installing malware, or destroying evidence. This control establishes a documented approval process for who can enter facilities housing CUI systems, issues credentials that prove authorization, requires periodic review to catch stale permissions, and ensures prompt revocation when personnel leave or change roles. Without these measures, the organization cannot demonstrate that physical security matches its technical security posture.

What evidence assessors expect

Assessors typically look for: CSV export, photo, signed letter, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls