Lockdown Success Physical Security in CMMC

Eric Marquette

Hey everyone, welcome back to CMMC Unlocked. Eric here with Paul and Roz, and today we're getting into the nuts and bolts of physical security controls under CMMC Level 2. This is a topic that doesn’t always get the spotlight, but, honestly, it’s make-or-break for compliance—not to mention, actual security. Paul, maybe you can kick us off by grounding us in the basics? What are organizations supposed to do when it comes to limiting physical access?

Paul Netopski

Absolutely, Eric. The foundational requirement—straight out of CMMC 2.0 and NIST SP 800-171—is all about identifying who’s authorized to access your systems, equipment, and where those systems live. You've got to maintain an access roster—up-to-date, detailed, approved by the right people. That means you can't have just anybody wandering into your server room or wiring closet. Design your controls around badges, keys, locks, whatever works for your environment, so long as you can show it’s managed and it's limited to only those who need it.

Roz the Rulemaker

And don’t forget, from a regulatory and documentation perspective, it's not enough to just have those controls in place—you need thorough documentation. That includes logs of who’s authorized, records of approvals, and evidence that you’re revoking access when a role changes. Auditors aren’t just checking for working locks—they want to see the paper trail to prove your controls are intentional and enforced regularly.

Eric Marquette

Totally. And the real world has a way of stress-testing those controls whether you want it to or not. I remember working with a smaller defense contractor. They initially had nothing but some pretty basic keyed locks on their main office doors and a printed list of "authorized" folks taped above the doorframe—like, seriously, you could just peek at it on your way in! Then they had a near-miss where somebody—actually a cleaning vendor—almost got into the network closet because nobody checked their credentials. Our gap analysis caught that, and it was enough of a wakeup call. They switched to a badge system, did a full inventory of who got access to where, and, crucially, documented approvals. The risk—and the audit headaches—went way, way down.

Paul Netopski

That’s a textbook example, Eric. And look, that point about the cleaning vendor is so common. The requirement under control 3.10.1 is: limit, review, and document access. If you can’t show who’s allowed in, it's a finding. The badge system, the log, the review process—they all need to fit together to show you know, at all times, who can get through those doors. Contractors, vendors—everybody has to be on that list or escorted. If you’re out of sync with your roster and logs, your risk level is way higher than you realize.

Roz the Rulemaker

And let's be honest, even with technology, if you don't keep your list up to date, or if you have “legacy” badges floating around, you’re undermining your own controls. I always recommend connecting access reviews to HR processes—every change in employment status should trigger a credential update or revocation in your logs. No exceptions.

Paul Netopski

So, let’s dig deeper into the next piece: not just access, but protection and monitoring of the physical facility and the systems that keep it running. This isn’t just about the door to the server room—it’s alarms, HVAC, building power, monitoring systems—all those layers that could be a target. The control requirements here—PE.L2-3.10.2—are clear: you have to protect and actively monitor both the main facility and all critical support stuff. That means camera feeds, alarm systems, badge access logs, and documented inspections.

Eric Marquette

Yeah, and I’ve seen situations where people focus on the building entrance but totally forget about the “infrastructure” side—like, say, the badge controller itself sitting under the front desk with zero protection. Or, more often, vendor-managed systems, like the alarms, where nobody is checking whether someone else might have a backdoor into the panel. If your vendor contracts don’t include physical security terms, you’re leaving yourself open.

Paul Netopski

Exactly. Actually, I had a case at a defense contractor site—I'll just say, it was Massachusetts-based. They did everything right with locks, cameras, sign-ins—but nobody realized a camera system network cable actually ran outside the security perimeter. It wasn’t documented on the site diagram. During a pre-audit walk-through, I noticed the cable and traced it—technically, someone could intercept traffic outside the protected area. Long story short, updating the site diagrams, extending the secure boundary, and pulling that cable back inside the perimeter closed a pretty dramatic gap. This is why your diagrams and inventories need to actually reflect reality—not just what you wish was there.

Roz the Rulemaker

And, Paul, your point about the contracts is something I harp on all the time. If you’re using vendors for monitoring or for maintaining alarm or HVAC systems, your contracts need to be explicit. Specify access procedures, reporting, and logging requirements. Otherwise, you don’t just have a physical security risk—you’ve got a compliance risk, too. Regulators expect you to demonstrate control over those support systems, and that includes making sure all monitoring devices and infrastructure are actively checked. Cameras don’t do much good if no one ever reviews the footage or the logs.

Eric Marquette

Definitely. And just a nod back to our last episode—when we talked about the importance of media security—it’s kind of the same mindset here: safeguarding your systems is about having eyes on more than just the obvious entry points. Review logs, do inspections, and above all, make sure your safeguards include both the technology and the people side, especially with third-party involvement.

Roz the Rulemaker

So, let’s turn now to the actual devices that make or break your physical security. I’m talking badges, keys, tokens—anything that opens a door or logs you in. CMMC—and by extension, NIST 800-171—requires a current, accurate inventory of every device, every key, every badge. You need documentation on issuance, returns, and deactivation, and those records have to be updated in real time, not just when you remember. If something goes missing, it needs to be reported and deactivated right away. And don't forget visitor badges—they’re just as important for audits and need to be tightly controlled and logged.

Eric Marquette

Yeah, Roz, and that monthly and semi-annual review stuff you just hinted at? That’s not just a best practice—that’s baked into the policy and the audit criteria. The whole idea is, if someone loses a badge or a key, you want it deactivated or re-keyed as quickly as possible. I’ve seen places where someone left a job months ago, but the badge was still active in the system. All it takes is one audit finding like that for the compliance folks to circle the wagons.

Roz the Rulemaker

Absolutely. I actually came across a scenario—annual review, busy facility, a handful of old employees had badges that, for some administrative oversight, weren't deactivated after offboarding. The auditors caught it. Not only did it count as a control deviation, but it triggered a full review of all badge inventory and onboarding and offboarding procedures. The fix wasn’t just “flip the switch”—they had to do a deep-dive to close that loop and prove the process worked going forward. The lesson? Tie access device management to HR and offboarding, with controls and logs to prove it.

Paul Netopski

And part of this is about maintenance and review cycles. Your access control systems—badge readers, locks, cameras, alarm panels—should be inspected regularly, and those records logged as maintenance tickets. Lost or stolen devices are a fire drill: immediate disablement, documentation, and, if necessary, re-keying or contract escalation. If you're relying on a third party, make sure your contract includes all those safeguards.

Eric Marquette

And, honestly, make the inventory visible—have a list tied to onboarding, offboarding, and maintenance tickets. If you treat credential management as a living thing, not a one-time checklist, you'll be in a much better place come audit time—or, you know, if something actually goes wrong.

Eric Marquette

Visitors—this is probably the most overlooked area in physical security, and it’s the one auditors love to poke at. Organizations sometimes forget that a visitor isn’t only, say, a sales guest—it can be a vendor, a maintenance crew, or even somebody from your landlord’s staff. The rule is clear: visitors have to be escorted, period. Their activity is logged—the whole nine yards: name, company, who they’re visiting, why, entry and exit times, and the escort’s name. And the escort has to actually, well, escort them. Not “here’s your pass, have fun.”

Paul Netopski

Right. And the point isn’t just procedural—it’s security. If you’ve got a vendor walking around on their own, even just for a “minute,” that’s a gap. Logs need to show not only the logistical details but that the procedures were followed—escorts were briefed, credentials returned at the end. It’s all about traceability for both security incidents and compliance audits.

Roz the Rulemaker

It also supports investigations, Eric. Let’s say something goes missing or a system is tampered with—if you can’t tie a visitor to entry and exit, and you don’t have a complete log, you’re out of luck. Visitor escorts need a clear briefing on what the visitor can and can't do, where they’re allowed, and the monitoring procedures. I always look for signed escort briefings during document reviews—that’s just as valuable for compliance as camera logs.

Eric Marquette

And to make this real: years ago, I was consulting for a client, and the facilities team let a maintenance crew start working on the HVAC without an escort, because “they’re regulars.” During the physical patrol, a security officer spotted them in an area they weren’t supposed to be, and checked the visitor log—no sign-in, no escort. We flagged it, and it actually prevented an audit ding later, but it could have been a lot worse if something had gone sideways. After that, the company started doing more thorough log reviews and patrols. It’s a lesson—you don’t get a free pass just because someone’s familiar!

Paul Netopski

Exactly. And this is something we’ve discussed in previous episodes: compliance isn’t just a paperwork exercise. Auditors are always watching for “the human element.” Having those documented procedures and briefings—and spot checks—reinforces a culture of accountability and readiness. It’s not just for show; it works when you actually enforce it.

Paul Netopski

Alright, last but not least, let’s shine a light on support infrastructure—because a lot of folks hear “HVAC, power” and think only in terms of availability, not confidentiality. But support infrastructure includes things like network cables, access system wiring, surveillance camera feeds—basically any component that could compromise the confidentiality of systems or data if mishandled.

Roz the Rulemaker

Absolutely, Paul. Like, it’s easy to forget that a lone network cable exiting the security area or a camera’s unprotected feed can represent a major vulnerability. These are common vectors for breaches. Even something as “simple” as a motion sensor—if it’s set up in a way that can be fooled or triggered from outside, that can be an avenue for physical access or defeat. And there are real-world examples: people sliding paper under a door to trigger a motion sensor and unlock a door, or tossing a hat over a subway gate to bypass fare control. The same creative thinking applies to threat actors targeting defense contractors.

Paul Netopski

Yeah, that's not just urban legend—the subway trick actually inspired a review on a project I worked on. We realized some motion-activated locks in the facility could potentially be bypassed with nothing more than a creative distraction. The takeaway is this: you need to assess not only whether support infrastructure ensures availability, but also whether it protects confidentiality. That means identifying exposed cabling, checking where communications for cameras, badge readers, and sensors run, and locking down every segment inside your physical boundary. And don’t forget: your inspections and your security diagrams have to reflect these realities—not the “book” version of your system, but where devices and cables actually are, physically.

Eric Marquette

Honestly, this is an area where creativity can work in your favor, too—as long as you think like an adversary. Challenge your teams to spot potential weaknesses: Can someone interrupt a sensor, jam a camera, or tap into a network cable that leaves the secure area? All those “what-ifs” should be built into your quarterly reviews. And—one more time—loop your contracts and vendor relationships in so the safeguards aren’t just your internal problem, but are carried through by anyone touching your infrastructure.

Roz the Rulemaker

Great reminders, both of you. And this is why holistic policy and procedure are so valuable. Technical security, contracts, personnel training—they all come together. Documentation, diagrams, real inspections, and periodic reviews are your best defense. And it’s not just theory—we’ve seen audit findings and actual breaches that come down to these “invisible” infrastructure weaknesses.

Eric Marquette

Alright, we’re gonna call it there for today. We covered everything from access rosters to creative physical security challenges—hopefully demystifying some of the practical realities of CMMC physical security requirements. Paul, Roz, thanks as always. Any last thoughts before we wrap up?

Paul Netopski

Just remember, security is in the details, and documentation is your ally. Don’t wait until audit season—build these habits now. Looking forward to next time.

Roz the Rulemaker

Agreed. If you want to stay one step ahead, focus on process integration and keep your policy and operations aligned. See you in the next episode!

Eric Marquette

Thanks everyone for tuning in to CMMC Unlocked. We'll catch you next time—stay secure, keep learning, and goodbye from all of us!