NIST SP 800-171 Rev 2 §3.10.1 requires organizations to establish and maintain a list of individuals authorized to physically access systems, equipment, and the operating environments in which those systems reside, and to enforce controls that prevent unauthorized physical access. Physical access controls include but are not limited to locked server rooms, badge access systems, biometric readers, security guards, and visitor management procedures. The practice applies to all locations where Controlled Unclassified Information (CUI) is processed, stored, or transmitted, including data centers, server closets, office spaces hosting CUI workstations, and any co-location or shared facilities. Authorization must be explicitly granted based on role and business need, not assumed from general employment status. This practice is foundational to the entire Physical Protection domain; practices PE-L2-3.10.2 through PE-L2-3.10.6 all depend on the authorization baseline established here.
Where it stops · what it isn't
- —This practice does not govern logical or network-based access controls, which are addressed under the Access Control domain (§3.1).
- —This practice does not address the inspection or sanitization of equipment brought into facilities, which is covered under PE-L2-3.10.3.
- —This practice does not directly govern visitor escort and monitoring procedures beyond defining who is authorized; those details are addressed in PE-L2-3.10.2.
- —This practice does not cover the protection of CUI during transmission or removable media handling, which falls under Media Protection (§3.8).
- —This practice does not address remote physical access to systems via out-of-band management interfaces, which requires separate logical access controls.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/physical-protection