The Physical Protection Domain: defending the environment that holds the environment

What the Physical Protection Domain Is For

The Physical Protection domain addresses the physical dimensions of CUI security. Its six requirements establish how physical access to systems, equipment, and operating environments is controlled, how facilities are monitored, how visitors are managed, how physical access is recorded, and how CUI is protected at work locations beyond the primary facility. The domain is the defense against threats that reach the environment physically rather than through the network.

The practitioner reading of PE is that it protects what every other domain assumes. Access control, authentication, audit, and configuration management all operate on the premise that the systems they govern are physically protected. A system that an attacker can reach physically can be compromised in ways that network-level controls cannot prevent. Drives can be removed. Hardware can be replaced. Console access can bypass logical authentication. Keystroke loggers can be installed. When PE fails, the compliance posture of the other domains becomes advisory rather than operational.

For defense contractors in manufacturing environments, the PE domain carries implementation complexity that extends well beyond the typical office environment. Shop floors receive material deliveries. Loading docks create uncontrolled access paths. Specialized equipment sits in areas that production personnel need to reach but that also contain CUI. After-hours cleaning crews move through the entire facility unescorted. Each of these operational realities is a PE concern, and each requires deliberate handling rather than assumption that the standard office-building model applies. The Secure Area Strategy white paper addresses these manufacturing-specific PE patterns in depth.

The Structure of the 6 Controls

The six PE requirements organize into two clusters that reflect distinct concerns within the domain.

The first cluster covers physical access control. These three controls (3.10.1, 3.10.3, and 3.10.5) establish who is permitted physical access, how visitors are managed, and how physical access devices such as badges, keys, and combination codes are controlled. The cluster is the operational framework of the domain.

The second cluster covers monitoring, logging, and extended environments. These three controls (3.10.2, 3.10.4, and 3.10.6) address the facility protection and monitoring obligation, the audit logging of physical access, and the protection of CUI at alternate work sites. The cluster addresses the awareness and evidence dimensions of PE, plus the increasingly relevant question of how CUI is protected when personnel work outside the primary facility.

The first cluster establishes who is permitted physical access, how visitors are handled, and how the physical access devices themselves are managed. These three controls form the operational framework that the rest of the domain depends on.

PE.L2-3.10.1Limit Physical Access

Physical access to organizational systems, equipment, and the respective operating environments must be limited to authorized individuals. The control is the foundational PE obligation. The assessable evidence shows that only authorized individuals can physically reach areas containing CUI systems, and that the authorization is documented. The challenge is often not the formal authorization list but the physical controls that enforce it. A badge reader at a door, a locked server room, or a controlled access perimeter all demonstrate enforcement. An unlocked door with a policy saying only authorized personnel should enter does not. This control interacts directly with Access Control, because physical access is a form of access that AC authorization decisions ultimately govern.

PE.L2-3.10.3Escort Visitors

Visitors must be escorted and visitor activity must be monitored. The control applies to any individual who is not among the authorized personnel identified under 3.10.1. This includes customers, vendor representatives, family members, delivery personnel, and contractors whose authorization does not extend to unescorted facility access. The escort requirement is active, not nominal. A staff member who signs in a visitor and then leaves them unattended has not provided an escort. The monitoring requirement means that someone with authorization is continuously aware of what the visitor is doing during the visit. This control interacts with the Maintenance domain through MA.3.7.6, which requires supervision of maintenance personnel without required access authorization.

PE.L2-3.10.5Manage Physical Access

Physical access devices must be controlled and managed. Physical access devices include badges, keys, combination codes, biometric templates, and any other mechanism that grants entry. The management obligation covers issuance, tracking, recovery, and disposition. An employee who leaves the organization must return badges and keys, and access credentials must be revoked promptly. Lost or stolen devices must be reported and deactivated. The assessable evidence includes the inventory of physical access devices, the issuance and return records, and the deactivation log. Findings often involve departed employees whose badges remain active months after separation, or combination codes that have not changed despite turnover in the personnel who knew them.

The second cluster addresses the facility protection and monitoring obligation, the audit logging of physical access, and the protection of CUI when work extends beyond the primary facility. These three controls add the evidence and awareness dimensions to the access control foundation.

PE.L2-3.10.2Monitor Facility

The physical facility and support infrastructure for organizational systems must be protected and monitored. The protection obligation covers the physical structure, environmental systems, and the building infrastructure on which CUI systems depend. Monitoring covers the observation of the facility for unauthorized access or unusual activity. Video surveillance, alarm systems, and documented patrol or inspection routines all satisfy aspects of the requirement. The evidence standard is that monitoring occurs continuously for the areas that protect CUI systems, not just during business hours when personnel are present. This control interacts with the Incident Response domain because the monitoring capability is often what initiates the response to physical security events.

PE.L2-3.10.4Physical Access Logs

Audit logs of physical access must be maintained. The control requires that physical access events be recorded in a way that supports subsequent review and investigation. Electronic badge systems produce these logs automatically. Facilities that rely on manual sign-in must produce equivalent records through visitor logs, key checkout records, or similar mechanisms. The assessable evidence includes both the logs themselves and the demonstration that they are retained for an appropriate period and reviewed as part of the broader audit program. This control interacts directly with Audit and Accountability, which governs the broader audit obligations that physical access logs fall under.

PE.L2-3.10.6Alternative Work Sites

Safeguarding measures must be enforced for CUI at alternate work sites. This control addresses the protection of CUI when work occurs away from the primary facility. Remote work, home offices, field sites, customer locations, and conference venues all fall within the scope when CUI is handled at those locations. The required safeguards are determined by the organization based on the risk at the alternate site, but they must be documented and enforced rather than assumed. Common implementations include home office security requirements, VPN access with endpoint controls, physical document handling procedures for CUI carried away from the facility, and restrictions on the types of work that can be performed at alternate sites. The control has become substantially more consequential since the expansion of remote work, and it is one of the more commonly underbuilt areas of the domain.

Where Physical Protection Intersects with Other Domains

Physical Protection intersects with several domains because physical access is the precondition for many of the technical controls that other domains implement.

Access Control governs the authorization framework that PE enforces physically. The decision about who is permitted physical access to a space is an access decision of the same type that AC applies to systems. A coherent compliance program treats physical and logical access authorizations as elements of a single framework rather than as separate programs.

Maintenance interacts with PE through MA.3.7.6, which requires supervision of maintenance personnel without required access authorization. The supervision is operationally a PE activity, because it occurs during physical presence in the facility. The two controls work together to address the specific case of technicians who require physical access for maintenance but lack the broader authorization.

Media Protection depends on PE for the physical storage locations where CUI media is held. The locked rooms, controlled facilities, and environmental protections that MP.3.8.1 and 3.8.9 require are operational consequences of PE implementation. Media in a secure location is only secure if the location itself is physically protected under PE.

Audit and Accountability intersects through PE.3.10.4, which requires physical access logs. The logs are audit records, and they fall under the broader AU obligations for retention, protection, and review. A consistent program treats physical and logical audit logs as parts of the same evidence infrastructure.

Configuration Management depends on PE because physical access to a system permits configuration change outside the normal change management workflow. CM.3.4.5 specifically requires physical access restrictions for change activity, and PE provides the physical enforcement of those restrictions.

Personnel Security is the upstream source of the authorization status that PE relies on. The decision about who holds authorization for physical access originates with personnel records and role assignments that PS maintains. When PS is weak, PE enforcement operates against unreliable authorization data.

Common Implementation Pitfalls

Several patterns come up repeatedly in Physical Protection readiness work.

Tailgating at badge readers. The badge system functions correctly, but the operational culture permits one person to hold the door for another. Over time, this pattern creates regular unauthorized entries that the badge logs do not capture because the second person never presented credentials. The remediation is partly technical (anti-tailgating mechanisms, mantraps) and partly cultural (training, accountability for holding doors).

Loading dock and delivery access that bypasses the formal access control. The front door requires a badge. The loading dock has a roll-up door that is open during deliveries. Delivery personnel move through the facility to drop off materials, often passing areas that contain CUI. The 3.10.1 obligation applies to the loading dock path as much as to the front door. Remediation typically involves a receiving area that separates deliveries from the rest of the facility, along with escort procedures for delivery personnel who must go beyond the receiving area.

After-hours cleaning crew treated as trusted. The cleaning service has building access outside business hours, moves through the entire facility, and is rarely escorted or monitored. The 3.10.3 escort requirement applies to the cleaning crew the same way it applies to any other visitor. Remediation involves either extending authorization to the cleaning crew through personnel vetting, or implementing after-hours escort procedures, or physically restricting the cleaning crew's access to areas that do not contain CUI.

Departed employees with active badges. The HR separation process does not trigger immediate physical access deactivation, and former employees retain badge access for weeks or months after leaving. The 3.10.5 management obligation requires prompt deactivation, and the assessable evidence is the time between separation and deactivation across a sample of recent departures.

Conference rooms with CUI visibility from outside. The conference room is inside the controlled perimeter, but its windows face a common corridor or public space. During meetings where CUI is displayed, the information is visible to anyone in the adjacent area. The 3.10.1 limitation on physical access extends to visual access in this scenario, and the remediation involves blinds, privacy film, or meeting room placement that avoids the visibility problem.

Alternate work sites without documented protections. Remote workers handle CUI from home offices, but the organization has no documented requirements for home office security, no verification that the requirements are met, and no record of which employees handle CUI at alternate sites. The 3.10.6 obligation requires enforced safeguards, and a policy alone does not satisfy the enforcement requirement.

Physical access logs retained but never reviewed. The badge system generates logs continuously, and the logs are retained per policy. No one ever reviews them. Anomalous access patterns, after-hours entries by unexpected personnel, and failed access attempts accumulate in the log with no response. The 3.10.4 obligation extends beyond retention to the use of the logs as evidence, which in practice means periodic review with documented findings.

Where to Start

For an organization new to the PE domain, the first work is the authorization inventory.

The foundational deliverable is a list of all individuals who hold physical access to areas containing CUI systems or media, including the areas each person can reach and the authorization basis for the access. Without this inventory, the 3.10.1 limitation cannot be evaluated, the 3.10.5 device management cannot be verified, and the 3.10.3 visitor determination cannot be made because the organization does not know who is authorized in the first place.

The second deliverable is the facility walk-through. A systematic review of every physical access path to areas containing CUI, including the obvious doors and the less obvious paths such as loading docks, maintenance corridors, roof access, and inter-tenant walls. The walk-through frequently reveals access paths that the compliance program did not know existed. Closing those gaps is often straightforward once they are identified.

The third deliverable is the alternate work site policy and inventory. Which employees handle CUI at alternate sites, what safeguards those sites require, and how the organization verifies the safeguards are in place. The 3.10.6 requirement has become substantially more consequential with the expansion of remote work, and an untreated alternate work site population is a significant gap in most readiness postures.

With the authorization inventory, facility walk-through, and alternate work site policy in place, the monitoring, logging, and visitor control obligations become operational disciplines rather than design problems. For manufacturing environments specifically, the Secure Area Strategy white paper addresses the specific patterns that apply when equipment-intensive operations cannot rely on standard office-environment PE approaches.