03.10.04 —
What this control requires
Source: NIST SP 800-171 R3 §03.10.04 (official control text).
Why this matters
Unauthorized physical access to organizational systems and facilities is a primary attack vector that bypasses technical security controls. This requirement ensures that only authorized personnel can physically reach servers, network equipment, workstations, and sensitive areas where data is processed or stored. Physical security prevents theft, tampering, sabotage, and unauthorized data extraction via USB or direct console access. Without physical access controls, an adversary can compromise systems regardless of password strength, encryption, or firewall rules. This control protects against insider threats, social engineering attempts, and unauthorized entry during business and non-business hours.
What evidence assessors expect
Assessors typically look for: screenshot, photo, PDF, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.10.04.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →