CMMC Level 2 Practice 3.10.1: addresses physical access for individuals whose maintenance

CMMC Level 2 Practice 3.10.1 requires you to control physical access to the environments where CUI systems live, with special attention to third-party maintenance personnel and maintenance activities. You operationalize it by defining “maintenance” access paths, requiring authorization and escort where needed, logging activity, and retaining evidence that access is limited, reviewed, and enforced. ¹

Key takeaways:

• Treat maintenance as a high-risk physical access scenario, not a routine visitor flow. ¹
• Build a repeatable process: pre-approve, verify identity, restrict areas, supervise, and capture logs. ¹
• Evidence wins assessments; plan recurring collection from badges, visitor systems, and maintenance tickets. ²

“Maintenance” is where otherwise-strong physical security programs tend to break: an HVAC contractor needs ceiling access, a copier technician needs to open a device with stored scans, or a data center tech needs to replace a failed drive. CMMC Level 2 Practice 3.10.1 (mapped to NIST SP 800-171 Rev. 2 3.10.1) expects you to prevent these necessary activities from becoming uncontrolled entry into rooms, racks, wiring closets, or work areas where CUI is processed or stored. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path is to translate the requirement into a single operational rule: maintenance personnel only enter controlled areas after approval, identity verification, and physical restrictions are applied, and you can prove it with logs and tickets. This page focuses on execution: scoping which spaces count, choosing control points (badges, keys, escorts, cages), defining who can approve, and setting up evidence capture that stands up in a CMMC assessment under the CMMC Program. ^{3 2}

Requirement: CMMC Level 2 Practice 3.10.1 (physical access for maintenance individuals)

Plain-English interpretation

You must control physical access to facilities and spaces where CUI systems exist, specifically for people doing maintenance (internal staff and third parties). “Control” means you decide who can enter, when they can enter, what they can access once inside, and you keep records that show you followed your process. ¹

Maintenance is a trigger for exceptions. Assessors will look for whether your exceptions are governed (approved, limited, monitored) or informal (“the tech always comes in that door and someone props it open”). ²

Who it applies to (entity and operational context)

Applies to any organization pursuing CMMC Level 2 that handles CUI under DoD contracts and therefore must implement the NIST SP 800-171 Rev. 2 practices within the CMMC Program. ^{3 2 1}

Operational contexts where 3.10.1 shows up:

• Corporate offices with CUI enclaves (locked suite, lab, engineering area).
• Manufacturing floors with controlled test stations, OT/ICS cabinets, or QA labs tied to CUI.
• Data centers, server rooms, IDFs/MDFs, wiring closets, secure print/scan rooms.
• Any location where third parties perform repair, calibration, cleaning, facilities work, or IT break/fix near CUI assets. ¹

Regulatory mapping and scope note

CMMC Level 2 practice 3.10.1 is mapped to NIST SP 800-171 Rev. 2 requirement 3.10.1 and addresses physical access for individuals whose maintenance activities could expose systems or CUI. ¹ Under CMMC, you are expected to implement and be able to demonstrate the practice in assessment. ^{3 2}

Regulatory text

Provided excerpt: “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.10.1 (addresses physical access for individuals whose maintenance).” ¹

What the operator must do: Put a governed process around physical access for maintenance personnel so they cannot freely enter controlled areas or access CUI systems without authorization, restriction, and oversight. Build the process so it produces repeatable evidence for CMMC assessments. ²

What you actually need to do (step-by-step)

1) Define what “maintenance” means in your environment

Create a short maintenance access classification that your teams can apply consistently:

• Facilities maintenance (HVAC, electrical, fire systems, plumbing).
• IT maintenance (break/fix, cabling, rack work, device repair).
• Office equipment maintenance (printers/copiers, shredders, fax/MFP).
• Specialized maintenance (calibration, lab equipment service, machine tool service). ¹

Output: a one-page “Maintenance Access Standard” that states maintenance is a controlled access event when it touches a controlled space or CUI asset. ¹

2) Scope the controlled spaces and assets

Document (a) controlled areas and (b) “maintenance-adjacent” spaces that can bypass controls.

• Controlled areas: server rooms, CUI enclave rooms, secure labs, locked cabinets/cages.
• Adjacent bypass points: ceiling plenum access, loading docks to cage corridors, shared telecom closets. ¹

Output: a simple floorplan mark-up or controlled area register tied to your CUI boundary description. ²

3) Establish authorization rules (who approves, what’s pre-approved)

Set explicit approval points:

• Planned maintenance: require a work order/ticket with scope, date/time window, technician identity, and areas to be accessed.
• Emergency maintenance: allow expedited approval but still require identity verification and post-event documentation. ¹

Define approvers by space/asset:

• Facilities manager approves building systems access.
• IT/security approves access to server room, racks, network closets.
• System owner approves access to CUI system components. ¹

4) Control entry: identity, badges/keys, and time bounds

Operational controls that usually satisfy assessor expectations:

• Verify identity at arrival (government ID check or existing badge validation).
• Issue visitor badge distinct from employee badges, time-limited to the window.
• Prohibit “badge sharing” and master key handoffs to third parties.
• Enforce sign-in/sign-out for controlled areas. ¹

If you use electronic access control, configure reports for:

• Door access logs by person, door, and time window.
• Exceptions (forced door, door held open) routed to review. ¹

5) Restrict what the maintenance person can reach

Use one or more of these, based on risk:

• Escort requirement in controlled areas (default for third-party maintenance).
• Physical barriers: locked racks, cages, locked cabinets for media and backups.
• “Tools and bags” control: inspect bags on entry/exit for high-risk areas, where feasible under your policy. ¹

Write a rule that escorts must remain present and are accountable for the visitor’s path and actions in controlled areas. ¹

6) Log the maintenance activity and close it out

Tie physical access to a record:

• Work order/ticket number
• Technician/company
• Areas accessed
• Escort name
• Start/end time
• Assets touched (serial numbers when feasible)
• Any anomalies (photos, seal breaks, unexpected access) ¹

Close-out checks:

• Confirm all doors/racks re-secured.
• Confirm no media removed without authorization.
• For IT maintenance, confirm chain-of-custody if any component left the site. ¹

7) Set recurring evidence capture (make assessment easy)

Most teams fail 3.10.1 on evidence, not intent. Build a lightweight monthly or quarterly evidence pull:

• Visitor logs for controlled spaces
• Door access report for server room / enclave doors
• Sample maintenance tickets mapped to access events
• Escort roster/training acknowledgment ²

Daydream fit (practical, not theoretical): use Daydream to map 3.10.1 to a documented control and schedule recurring evidence capture so you are not assembling proof during the assessment window. ²

Required evidence and artifacts to retain

Keep artifacts that show design and operation:

Design artifacts

• Physical Access Control Policy + Maintenance Access Standard (maintenance-specific section). ¹
• Controlled area register (rooms, racks, cages) aligned to CUI boundary narrative. ²
• Roles/approvals matrix for maintenance access.

Operational artifacts

• Visitor sign-in/sign-out logs for maintenance personnel.
• Badge issuance records or temporary credential logs.
• Electronic door access logs for controlled areas.
• Maintenance work orders/tickets that include approvals, scope, time window, escort, and closure notes.
• Incident/exception records for any unauthorized or anomalous access. ¹

Common exam/audit questions and hangups

Assessors often probe the same fault lines under CMMC assessment expectations. ²

Common questions:

• “Show me how a third-party technician gets approved to enter the server room.”
• “How do you prevent a technician from being unescorted in a controlled area?”
• “How do you link this door access log entry to an approved maintenance task?”
• “What happens in emergencies after hours?”
• “Which areas are in scope for CUI, and how is that reflected in physical controls?” ¹

Hangups that slow teams down:

• No single owner for physical access evidence (Facilities has keys; IT has badge logs; Security has visitor logs).
• Maintenance is outsourced, but contracts do not require your access procedures.
• Controlled areas exist informally (“everyone knows the lab is sensitive”) without documentation. ¹

Frequent implementation mistakes and how to avoid them

Mistake: Treating maintenance as “just a visitor.”

• Fix: Add a maintenance category with stricter defaults (approval + escort + ticket linkage). ¹

Mistake: Relying on a policy statement with no operational logs.

• Fix: Define what artifacts are produced every time (ticket + visitor log + door report). Test the evidence pull before an assessment. ²

Mistake: “Shared spaces” not addressed (e.g., shared telecom closet in a multi-tenant building).

• Fix: Add compensating controls: locked racks/cages, lockable cabinets, escort requirements, or relocating CUI components to controlled areas. ¹

Mistake: Emergency maintenance bypasses controls permanently.

• Fix: Allow emergency entry but require retrospective documentation and a supervisor review of logs and scope. ¹

Enforcement context and risk implications (practical)

No public enforcement cases were provided in the source catalog for this specific practice, so treat enforcement risk as program and contract performance risk rather than a case-driven narrative. CMMC is implemented through the DoD CMMC Program and codified in the CMMC Program rule; failing a practice can affect eligibility to receive certain DoD awards that require the level. ^{3 2}

Operational risk is straightforward: maintenance personnel can gain proximity access to devices, ports, network gear, printed CUI, or media. If your process cannot prove control, you risk assessment findings and increased likelihood of security incidents tied to physical access gaps. ¹

Practical 30/60/90-day execution plan

First 30 days (Immediate stabilization)

• Identify controlled areas and maintenance-adjacent bypass points; document them in a controlled area register. ¹
• Write a maintenance access standard: approvals, escort, identity verification, logging requirements. ¹
• Pick your evidence sources (badge system, visitor log, ticketing system) and assign an evidence owner. ²

Next 60 days (Operationalize and test)

• Update visitor procedures and receptionist/security post orders to include “maintenance” handling for controlled areas. ¹
• Implement escort training for staff authorized to escort into controlled spaces; collect acknowledgments.
• Run tabletop scenarios: planned maintenance, emergency after-hours, multi-day projects, and verify logs are produced.

By 90 days (Assessment-ready evidence)

• Perform an internal control test: select maintenance events and trace end-to-end (approval → entry → escort → exit → closure). ²
• Fix gaps (missing logs, inconsistent approvals, unclear scoping).
• Set recurring evidence capture in Daydream so your next assessment cycle has a clean, continuous record set. ²

Frequently Asked Questions

Does 3.10.1 only apply to third-party maintenance technicians?

No. It applies to individuals performing maintenance, including employees and third parties, when their work creates physical access to controlled spaces or CUI systems. Focus controls where maintenance creates exposure. ¹

What if our building is multi-tenant and we can’t fully control the telecom closet?

Document the constraint and implement compensating controls such as locked racks/cages, locked patch panels, and escort requirements for any access you can influence. Align the closet treatment to your controlled area register and CUI boundary narrative. ¹

Do we need escorts for all maintenance work?

Not always, but escorts are a common, defensible default for third-party maintenance in controlled areas. Where you don’t escort, document the rationale and replace it with equivalent restrictions and logging. ¹

How do we prove compliance during an assessment?

Provide your written standard plus sampled records: approved maintenance tickets, visitor logs, badge/door access reports, and closure notes that show access matched the approved scope and time window. Assessors expect both policy and operational evidence. ²

What counts as “maintenance” for printers and copiers that may store scans?

Treat service access to devices that process or store CUI as maintenance that needs approval, supervision, and logging, especially if storage modules are accessed or removed. Tie the visit to an asset-specific ticket and confirm closure checks. ¹

Our facilities team manages keys, and IT manages badges. How do we keep evidence coherent?

Create a single “maintenance access event” record keyed by ticket number, and attach or reference the relevant key sign-out, visitor log entry, and door report. Assign one control owner to perform periodic evidence pulls and exceptions review. ²

Footnotes

1. NIST SP 800-171 Rev. 2

2. DoD CMMC Program Guidance

3. 32 CFR Part 170