NIST 800-171 • LEVEL 2 • PHYSICAL PROTECTION
3.10.1 — Physical Access Authorizations
Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides. Issue authorization credentials for facility access. Review the facility access list {{ insert: param, A.03.10.01.ODP.01 }}. Remove individuals from the facility access list when access is no longer required.
CMMC Practice Mapping
Assessment Objectives
- a list of individuals with authorized access to the facility where the system resides is developed.
- a list of individuals with authorized access to the facility where the system resides is approved.
- a list of individuals with authorized access to the facility where the system resides is maintained.
- the facility access list is reviewed {{ insert: param, A.03.10.01.ODP.01 }}.
- individuals from the facility access list are removed when access is no longer required.
- authorization credentials for facility access are issued.
Practitioner Notes
You need to know who is allowed into the spaces where your systems live, and you need to keep that list current. This is not just about server rooms — it includes any area where CUI is processed or stored.
Example 1: Maintain a facility access list — a document or spreadsheet listing every person authorized to enter your server room, data center, or CUI processing areas. Include their name, role, and date authorized. Review and update this list at least quarterly. When someone leaves the company or changes roles, remove them immediately.
Example 2: Use a badge access control system (e.g., Honeywell Pro-Watch, LenelS2, or Verkada Access Control) to issue credentials tied to individual employees. Program the system so that only people on the authorized access list can badge into sensitive areas. When you revoke authorization, deactivate their badge in the system the same day.