03.10.07 — (a) Enforce physical access authorizations at entry and exit points to the facility where the system resides by: (b) Maintain physical access audit logs for entry or exit points. (c) Escort visitors, and control visitor activity. (d) Secure keys, combinations, and other physical access devices. (e) Control physical access to output devices to prevent unauthorized individuals from obtaining access to CUI.

What this control requires

(a) Enforce physical access authorizations at entry and exit points to the facility where the system resides by: (b) Maintain physical access audit logs for entry or exit points. (c) Escort visitors, and control visitor activity. (d) Secure keys, combinations, and other physical access devices. (e) Control physical access to output devices to prevent unauthorized individuals from obtaining access to CUI.

Source: NIST SP 800-171 R3 §03.10.07 (official control text).

Why this matters

Physical access control prevents unauthorized individuals from physically touching systems that store, process, or transmit CUI. A single unauthorized entry can bypass every digital safeguard—an intruder can steal hard drives, photograph screens, plug in USB devices, or social-engineer employees. This control establishes layers of physical security: controlling who enters, logging every access event, supervising visitors, protecting access credentials, and securing output devices like printers where CUI might appear. Organizations face insider threats, tailgating, credential theft, and opportunistic breaches when physical boundaries fail.

What evidence assessors expect

Assessors typically look for: photo, screenshot, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.