CMMC Level 2 Practice 3.10.2: Protect and monitor the physical facility and support infrastructure for organizational systems

CMMC Level 2 Practice 3.10.2 requires you to protect and monitor the physical facility and the “support infrastructure” (power, HVAC, cabling, network rooms, racks) that host or enable systems handling CUI. Operationalize it by defining your CUI physical boundary, enforcing controlled access to those spaces, and retaining monitoring evidence (badges/visitor logs/camera coverage and reviews) tied to that boundary. ¹

Key takeaways:

• Scope first: document which rooms, racks, and support systems are inside the CUI boundary, then secure and monitor them. ²
• “Monitor” means you can detect, investigate, and show records of physical access and anomalies, not just install locks. ²
• Evidence wins assessments: align procedures, logs, and review records to the same boundary you describe in your SSP. ³

This requirement is easy to misunderstand because teams focus on doors and forget the infrastructure that keeps systems running. Practice 3.10.2 expects disciplined physical protection and monitoring for the facility areas that host organizational systems, plus the support infrastructure those systems depend on. That includes server rooms, network closets, MDF/IDF spaces, wiring cabinets, racks in shared data halls, and supporting utilities such as power distribution units, UPS, generators, HVAC controls, and fire suppression control panels when they directly support in-scope systems. ²

For a CCO or GRC lead, the fastest path is: (1) define the physical boundary for CUI systems, (2) implement access control and surveillance/monitoring proportional to the risk, (3) set a review cadence with named owners, and (4) retain records that prove the control operated over time. CMMC assessments reward coherence: your policies, SSP descriptions, diagrams, access lists, and logs should all describe the same set of spaces and the same way of working. ³

This page gives requirement-level implementation guidance for the target keyword: cmmc level 2 practice 3.10.2: protect and monitor the physical facility and support infrastructure for organizational systems requirement.

Regulatory text

Excerpt (provided): “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.10.2 (Protect and monitor the physical facility and support infrastructure for organizational systems).” ⁴

Operator interpretation: You must (a) protect physical spaces and enabling infrastructure for in-scope systems from unauthorized access, tampering, or disruption, and (b) monitor those spaces so you can detect and investigate physical security events. “Support infrastructure” expands scope beyond the server itself to the rooms and utilities that keep it available and trustworthy. ²

Plain-English interpretation (what the assessor expects)

You need a defensible answer to four questions:

1. Where is CUI processed, stored, or transmitted? Translate that into a physical boundary (rooms, racks, cabinets, work areas). ²
2. How do you prevent unauthorized physical access or tampering in that boundary? Think locks, badge access, escorted visitors, secured racks, keyed panels, and controlled keys. ²
3. How do you detect and review access or anomalies? Monitoring typically means a combination of badge/access logs, visitor logs, camera coverage, alerts, and periodic reviews with documented follow-up. ²
4. Can you prove it happened over time? CMMC is evidence-driven; you need artifacts that show the control ran, not just a written policy. ⁵

Who it applies to

Entities: Defense contractors and other federal contractors handling CUI that must meet CMMC Level 2 expectations mapped to NIST SP 800-171 Rev. 2. ⁶

Operational contexts that commonly fall in scope:

• On-prem server rooms, network closets, engineering labs, or test benches that touch CUI.
• Office spaces where endpoints routinely access CUI and where physical access is not already controlled by a higher-trust facility program.
• Colocation cages/suites, shared data centers, or third-party hosted spaces where you control a portion of physical security and must validate the rest via third-party management. ²

What you actually need to do (step-by-step)

1) Define the physical CUI boundary (make scope unambiguous)

• Inventory in-scope systems and map them to physical locations (building, floor, room, rack/cabinet).
• Identify “support infrastructure” dependencies for those locations: network closets feeding those rooms, UPS/PDU, HVAC serving the room, and any control panels with access that could disrupt availability or enable tampering.
• Produce a simple physical boundary diagram (even a marked floorplan) that an assessor can follow. ²

2) Implement layered physical protection

Apply controls based on the boundary type:

A. Controlled rooms (server rooms, MDF/IDF, labs)

• Restrict entry with badge/PIN or keyed lock under controlled key management.
• Post authorized access requirements and “no tailgating” expectations.
• Secure racks (locking doors) if the room is shared or has mixed-sensitivity assets. ²

B. Open office areas where CUI is accessed

• Use building access controls for after-hours restriction.
• Add local protections: cable locks for high-risk endpoints, clean desk expectations for printed CUI, and lockable storage where needed. ²

C. Third-party facilities (colocation / managed hosting)

• Document what the third party controls (e.g., perimeter, guards, CCTV) vs. what you control (e.g., cage locks, rack locks, access approvals).
• Ensure your contract/right-to-audit supports retrieving access logs and incident records relevant to your footprint. ²

3) Implement monitoring you can defend in an assessment

Monitoring should create records and a review loop:

• Access logging: badge system logs or key check-out logs for in-scope rooms.
• Visitor management: sign-in/out, identity check, escort requirement, and visitor badges distinct from employee badges.
• Video coverage (where used): cameras positioned to capture entrances to sensitive rooms/cages, with retention aligned to your investigation needs and internal policy.
• Review and follow-up: assign an owner (Facilities, Security, or IT) to review exceptions (after-hours access, denied attempts, forced doors) and document resolution. ²

4) Tie it to governance: policies, roles, and exceptions

• Update your physical security policy and procedures to explicitly mention in-scope areas and support infrastructure.
• Define who can approve access (system owner + Facilities/Security) and how quickly access is removed after role change or termination.
• Maintain an exceptions process (e.g., temporary badge for an auditor, emergency facilities contractor) with time-bounded approval and escort rules. ²

5) Operationalize evidence capture (don’t wait for the assessment)

A common reason teams fail 3.10.2 is not the lock, it’s the lack of proof. Build a lightweight evidence routine:

• Monthly export of access logs for in-scope doors (or a report showing access events).
• Monthly visitor log compilation for in-scope rooms.
• A short review memo or ticket notes showing anomalies reviewed and closed.
• Quarterly access list recertification for sensitive rooms (authorized personnel list). ³

Daydream fit (practical, non-disruptive): Use Daydream to map 3.10.2 to your defined boundary, assign owners, and schedule recurring evidence requests (badge report, visitor log, access recertification) so you have continuous assessment-ready artifacts instead of a scramble. ⁵

Required evidence and artifacts to retain

Keep artifacts tied to the same scope you describe in your SSP:

• Physical security policy and procedures referencing protected/monitored areas. ²
• Physical boundary documentation: floorplan/diagram and an in-scope location list (rooms, cages, racks). ²
• Access control configuration evidence: door list, access groups, and approval workflow documentation.
• Authorized access roster for sensitive spaces and periodic recertification records.
• Visitor logs for in-scope spaces, plus escort procedure.
• Monitoring outputs: badge/access logs, alarm/door forced events, camera coverage map (if used), and review records with remediation notes. ²
• Third-party documentation where applicable: colocation access procedures, your access approval records, and any obtained access/incident reports relevant to your footprint. ²

Common exam/audit questions and hangups

Assessors and internal auditors tend to press on these points:

• “Show me the boundary.” Which doors, rooms, and racks are in scope for CUI systems? If you can’t point to a diagram and list, expect a long interview. ²
• “How do you monitor?” They will ask for samples of access logs and proof of review, not just that logs exist. ²
• “How do you handle third parties?” Facilities contractors, cleaners, ISP techs, and colocation staff create access pathways. They will want to see escort rules, approvals, and records. ²
• “What about network closets?” Teams secure the server room but ignore IDFs with switches that carry CUI traffic. That gap is squarely within “support infrastructure.” ²

Frequent implementation mistakes (and how to avoid them)

1. Mistake: treating 3.10.2 as “we have a locked office.”
   Fix: enumerate sensitive spaces (MDF/IDF, racks, labs) and show controls per space. ²

2. Mistake: cameras installed, no governance.
   Fix: document camera purpose, coverage points, who can access footage, and how you respond to incidents. Retain review records when footage is consulted for an event. ²

3. Mistake: keys and badges never get deprovisioned.
   Fix: integrate HR offboarding with physical access removal and keep a record of completion for sensitive spaces. ²

4. Mistake: no evidence of ongoing monitoring.
   Fix: set a routine for log exports and reviews; store samples and exception tickets. Daydream can automate recurring evidence prompts and track completion by owner. ⁵

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific practice. Practically, the risk is assessment failure or a material SSP mismatch: you claim CUI is protected, but you cannot show that access to the supporting spaces is controlled and monitored. That gap also increases operational risk: physical tampering, service disruption, and unauthorized access pathways that bypass technical controls. ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and minimum controls)

• Produce the physical boundary list and a marked diagram for all CUI-handling locations. ²
• Confirm each in-scope space has a defined access mechanism (badge/lock) and an owner. ²
• Stand up visitor controls for in-scope spaces (log + escort rule).
• Start evidence capture: export a sample access log and store it with the boundary documentation. ⁵

By 60 days (monitoring + review loop)

• Implement a repeatable access review process for sensitive rooms (approve list, remove stale access, document outcomes). ²
• Define what constitutes an anomaly (after-hours entry, denied attempts, forced door) and how it gets triaged.
• If using third-party facilities, document shared responsibility and obtain access/incident reporting procedures from the third party. ²

By 90 days (assessment readiness and exception handling)

• Run a tabletop walkthrough: pick an in-scope room and demonstrate the full chain (request access → approval → log entry → periodic review → removal). ²
• Reconcile SSP narrative, boundary diagram, and evidence repository so they match exactly. ⁵
• Implement an exceptions register for temporary access and validate it contains approvals and end dates.

Frequently Asked Questions

Does “support infrastructure” include HVAC, UPS, and generators?

It includes infrastructure that directly supports the availability and integrity of organizational systems in scope, particularly where physical access could disrupt operations or enable tampering. Document what you include in your boundary and how you protect and monitor it. ²

Are network closets (IDFs) in scope for 3.10.2?

If they house equipment supporting in-scope systems (switches, patch panels, fiber runs), treat them as support infrastructure and apply protection and monitoring appropriate to the risk. Assessors regularly ask about closets because they are commonly overlooked. ²

We’re fully cloud-hosted. Do we still need to do this?

Yes, but your scope shifts to your offices and any spaces that contain endpoints, networking gear, or authentication devices used to access CUI, plus your third-party management of the cloud provider’s physical controls. Document shared responsibility and retain third-party evidence where contractually available. ²

What’s the minimum monitoring needed to satisfy “monitor”?

You need a way to detect and investigate physical access, typically via access logs and visitor logs, plus a documented review process with records of exceptions and follow-up. Cameras can support monitoring, but logs and reviews are usually the backbone for evidence. ²

How do we handle facilities contractors and cleaners?

Treat them as third parties who may need controlled access. Require sign-in/out, escort for sensitive spaces, time-bounded access approvals, and records that show who entered and why. ²

What evidence should we show an assessor if our building is managed by a landlord?

Provide your internal boundary, your access control for in-scope rooms (or suites), and documentation of the landlord’s controls that are relevant to your boundary if you rely on them. If you cannot obtain landlord evidence, reduce reliance by adding controls within your leased area. ²

Footnotes

1. NIST SP 800-171 Rev. 2; DoD CMMC Program Guidance

2. NIST SP 800-171 Rev. 2

3. DoD CMMC Program Guidance; NIST SP 800-171 Rev. 2

4. NIST SP 800-171 Rev. 2; DoD CMMC Program Guidance; 32 CFR Part 170

5. DoD CMMC Program Guidance

6. 32 CFR Part 170; DoD CMMC Program Guidance