CMMC Physical Protection: Securing Your Office Without a Security Guard

CMMCheck

CMMCheck

5 min read
CMMC Physical Protection: Securing Your Office Without a Security Guard

When people hear "cybersecurity," they think about passwords, firewalls, and antivirus software. Physical security often gets overlooked. But if someone can walk into your office and access your computers directly, all those digital protections don't matter much.

CMMC Level 1 includes five Physical Protection requirements. The good news: most small offices already do much of this instinctively. You lock your doors. You don't let strangers wander around unsupervised. You know who has keys.

The challenge isn't usually implementing physical security—it's documenting what you're already doing and closing a few gaps you might not have noticed.

PE.L1-3.10.1: Limit Physical Access

Plain English: Control who can physically get into spaces where your systems are located.

This isn't just about the front door to your building. It's about the specific areas where computers, servers, and networking equipment live. Who can walk up to your server? Who can sit down at a workstation with access to contract information?

What This Looks Like in Practice

Locked doors to office areas. If your business shares a building with other tenants, your office space should be locked. Employees have keys or badges; others don't get in without being let in.

Server closet or IT area locked separately. If you have a server, network equipment, or other critical infrastructure, it should be in a space with additional access control. Not everyone in the office needs access to the server closet. A simple keyed door is enough—the point is limiting access to people who actually need it.

Key and badge distribution is controlled. You decide who gets keys or access badges. It's not a free-for-all. New employees get access as part of onboarding. Departing employees surrender their access devices.

Workstations in controlled areas. Computers that handle FCI shouldn't be in public-facing areas where customers or visitors could access them. Reception areas, waiting rooms, and shop floors visible to visitors need extra consideration.

Evidence You'll Need

  • A floor plan or description showing which areas are access-controlled
  • Inventory of locks, doors, and access points
  • Documentation of who has authorized access to each area

PE.L1-3.10.3: Escort Visitors

Plain English: Don't let strangers wander around your office alone.

When someone who doesn't work for you enters your space, they should be accompanied. This applies to everyone—vendors doing repairs, delivery people, job candidates, customers visiting for meetings. If they're not an employee, they don't roam freely.

What This Looks Like in Practice

Visitors sign in. A simple log at the front desk: name, company, who they're visiting, time in. Nothing elaborate—a clipboard and pen work fine.

Visitors are escorted. Someone from your company accompanies visitors in areas where they could access systems or information. They don't get left alone in the conference room next to an unlocked workstation.

Visitors sign out. When they leave, they sign out. You have a record of when they arrived and when they left.

Exceptions are handled sensibly. A delivery driver dropping a package at reception doesn't need a full escort. But a technician working on your copier for two hours? They should be monitored or escorted, especially if that copier is near computers with FCI.

Evidence You'll Need

  • A written visitor policy
  • Visitor sign-in logs (keep these for a reasonable period)

PE.L1-3.10.4: Maintain Physical Access Logs

Plain English: Keep records of who accessed your facility and when.

If something goes wrong—or if you just need to verify who was in the building on a particular day—you need records. This requirement overlaps with visitor logs but extends to employee access as well.

What This Looks Like in Practice

Electronic badge systems do this automatically. If you use key cards or badges, your system likely logs every entry. Make sure those logs are being retained and that you can access them when needed.

Paper sign-in logs work too. Not every small business has an electronic access system. A paper log for visitors combined with your knowledge of employee schedules can satisfy this requirement. The key is having some record.

Logs are retained. Don't throw away last month's visitor log. Keep access records for a reasonable period—at least a year is a good practice.

Logs are protected. Access records shouldn't be easily altered or destroyed. Electronic logs should have appropriate access controls. Paper logs should be stored securely once completed.

Evidence You'll Need

  • Physical access logs (electronic or paper)
  • Records showing how long logs are retained
  • Evidence that logs are protected from tampering

PE.L1-3.10.5: Manage Physical Access Devices

Plain English: Track your keys, badges, and access cards—and collect them when people leave.

Every key and badge you issue is a potential access point. If you don't know who has what, you don't really control physical access. And if you don't collect access devices when employees leave, former employees can still get in.

What This Looks Like in Practice

You know who has keys and badges. A spreadsheet, a list, a log—something that shows which access devices have been issued and to whom. When you issue a new key, you record it. When you collect one, you note that too.

Access devices are collected during offboarding. When someone leaves the company, collecting their key or badge is part of the exit process. Not optional. Not "we'll get it later." Part of the checklist.

Codes are changed when appropriate. If you use keypads with codes, those codes should be changed when someone who knew them leaves the company. If a key is lost, consider whether locks need to be rekeyed.

Lost or stolen devices are addressed. If an employee loses a badge or key, it gets reported and handled. Deactivate the badge. Consider rekeying if necessary. Don't just shrug it off.

Evidence You'll Need

  • Inventory of issued keys, badges, and access cards
  • Records showing collection during offboarding
  • Documentation of how lost devices are handled

Small Office Reality Check

Reading through these requirements, you might picture security guards, turnstiles, and sophisticated badge systems. That's not what Level 1 requires for a small business.

Here's what actually works:

Locked doors. Your office locks. Your server closet locks. You don't need biometric scanners—just functional locks and a habit of using them.

A visitor log. A clipboard at the front desk with a sign-in sheet. Date, name, company, time in, time out. Takes seconds to maintain.

A key tracking spreadsheet. A simple document listing every key and badge, who has it, and when it was issued. Update it when you hand out or collect access devices.

Basic awareness. Employees know not to let strangers wander around. They know to ask "can I help you?" when they see an unfamiliar face.

Most gaps in Physical Protection aren't about missing equipment—they're about missing documentation. You probably already lock your doors and escort visitors. You just need to write down your procedures and keep records that prove you're following them.

Assess Your Physical Protection Compliance

Physical security feels intuitive, but the details matter for CMMC compliance. Do you have documentation? Are you keeping logs? Does everyone who had a key last year still work for you?

CMMCheck walks you through each Physical Protection requirement with simple yes/no questions. You'll quickly see whether your current practices meet the standard—and where you might have gaps.

Ready to check your CMMC Level 1 readiness? Try CMMCheck and assess your compliance in plain English.

This article is part of CMMCheck's Plain English CMMC Level 1 Guide, a complete resource for small businesses navigating DoD cybersecurity requirements.

Read more