NIST SP 800-171 Rev 2 practice 3.10.2 requires organizations to protect and monitor the physical facility and support infrastructure for systems that process, store, or transmit CUI. Protection includes physical barriers, environmental controls, and access hardening that prevent unauthorized entry or tampering with equipment. Monitoring encompasses surveillance systems, intrusion detection, and environmental sensors that provide continuous or near-continuous visibility into the physical security posture of those facilities. Support infrastructure includes power distribution, HVAC, cabling, and other utilities whose failure or compromise could impact system confidentiality, integrity, or availability. Together, these measures ensure that physical threats—whether from adversarial actors or environmental hazards—are identified and addressed in a timely manner.
Where it stops · what it isn't
- —This practice does not cover logical or network-based access control to systems; that is addressed by CMMC domain AC (3.1.x).
- —This practice does not address visitor escorting procedures or access logs, which are governed by PE 3.10.1.
- —This practice does not mandate specific media sanitization or disposal controls, which fall under MP 3.8.x.
- —This practice does not specify maintenance personnel verification or maintenance tool controls, which are covered by MA 3.7.x.
- —This practice does not replace incident response procedures triggered after a physical breach is detected; IR domain practices govern those response actions.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/physical-protection