The next four practices to be addressed reside within the Physical Protection (PE) Domain. The Physical Protection Domain covers activities which ensure that physical access to CUI asset containers is strictly controlled, managed, and monitored in accordance with CUI protection requirements. In this entry, we are discussing the first of the Practices, PE.1.131: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. As in the prior blog entries, the information below is taken from the CMMC Appendix B, Page B-149 (or page 189 in the PDF).

This first practice within Physical Protection is pretty straight forward: Equipment, information systems and/or their respective operating environments must be kept in a controlled location within the business (i.e. under lock and key or at least restricted access to only those individuals that can demonstrate access rights through the use of a key, key card, badge or ID/Smart card.

Discussion from the Source: NIST SP 800-171, Rev 2:

This requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors. Authorized individuals have credentials that include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, directives, policies, regulations, standards, procedures, and guidelines. This requirement applies only to areas within facilities that have not been designated as publicly accessible.

Limiting physical access to equipment may include placing equipment in locked rooms or other secured areas and allowing access to authorized individuals only; and placing equipment in locations that can be monitored by organizational personnel. Computing devices, external disc drives, networking devices, monitors, printers, copiers, scanners, facsimile machines, and audio debit devices are examples of equipment.

CMMC Clarification

Think about what parts of your physical space ( e. G.,, Office, plant, factory ), what equipment including the network, need to be protected from physical contact. for those parts of your company to which you won’t only specific employees to have physical access, monitor or limit who is able to enter those spaces with badges, key cards, etc.


You work for a small company as the project manager for a Department of Defense (DoD) project. The project requires special equipment that should be used only by project team members. You work with your boss to put locks on the doors to your area. This restricts access to the room to only those employees who work on the DOD project.

In our next entry, we will move to the second Practice within the Physical Protection Domain, PE.1.132, Escort Visitors and Monitor Visitor Activity.

Until next time…

By Mark Lupo, MBCP, SMP

*Originally posted on UGA Small Business Development Center*