03.10.02: Monitoring Physical Access

10 min readLast verified: February 2026By

03.10.02: monitoring physical access requirement means you must actively monitor physical entry, movement, and access to facilities and areas where CUI systems and media exist, and be able to prove it with logs and review records. Operationalize it by defining monitored zones, implementing badge/visitor controls (and cameras where appropriate), reviewing access events, and escalating anomalies. 1

Key takeaways:

  • Define “where monitoring applies” first: CUI areas, systems rooms, records storage, and any space that provides physical paths to them. 1
  • Monitoring must produce reviewable evidence (logs, footage retention rules, visitor records) and a response path for anomalies. 1
  • Treat third-party access (landlords, MSPs, maintenance, cleaners) as in-scope physical access that needs monitoring and records. 1

A frequent gap in 800-171 programs is strong badge controls but weak monitoring: doors open on propped entries, visitors wander unescorted, or camera footage exists but nobody reviews it. 03.10.02 is the requirement that forces you to close that operational loop. You are expected to know who entered controlled areas, when they entered, and how you detect and respond to unusual physical access patterns affecting CUI.

For a CCO or GRC lead, the fastest way to implement 03.10.02 is to treat it like a measurable control with three parts: (1) defined monitored perimeters and assets, (2) collection of physical access events (badges, visitor logs, alarms, camera evidence where risk warrants), and (3) recurring review plus incident handling. The “monitoring” concept is broader than “having a lock.” It includes oversight for employees, contractors, and any third party that can physically reach CUI work areas or supporting infrastructure.

This page gives requirement-level guidance you can assign to Facilities, Security, and IT, then validate through evidence on a predictable cadence, aligned to NIST SP 800-171 Rev. 3. 1

Regulatory text

Requirement: “NIST SP 800-171 Rev. 3 requirement 03.10.02 (Monitoring Physical Access).” 1

Operator interpretation: You must monitor physical access to facilities and areas where CUI is processed, stored, or transmitted (including supporting infrastructure like comms closets and server rooms), detect irregularities, and retain evidence that monitoring occurred. “Monitor” implies more than preventing entry; it implies observing and being able to reconstruct physical access activity when needed. 1

What an assessor will look for: a defined scope of monitored spaces, technical and procedural monitoring mechanisms, routine review of access activity, and an escalation path for suspicious or unauthorized events. 1

Plain-English meaning (what you’re being asked to prove)

You need to be able to answer, with records:

  • Who entered controlled areas that can affect CUI.
  • Whether visitors and third parties were controlled and observed.
  • Whether unusual activity is detectable (door forced open, after-hours access, repeated badge failures, tailgating indicators).
  • Whether you review those signals and take action. 1

If you cannot produce access logs, visitor logs, camera retention settings, and a review trail, your program may “feel secure” but still fail the requirement during assessment readiness work.

Who it applies to (entity and operational context)

Entities: Federal contractors and other nonfederal organizations that handle CUI in nonfederal systems. 1

Operational scope (typical):

  • Corporate offices where CUI work occurs (even if CUI is “mostly digital,” physical access can enable device theft or tampering).
  • Data rooms, server rooms, network closets, secure print/scan areas, and media storage.
  • Shared spaces with mixed tenancy (multi-tenant buildings) where your organization controls only a portion of the facility.
  • Remote and hybrid contexts where CUI may be accessed at home or in temporary sites, if your CUI boundary includes those locations. 1

Third-party reality: Landlords, building security, cleaning crews, maintenance contractors, and IT service providers often have keys or after-hours access. Treat that as in-scope physical access that must be monitored and evidenced. 1

What you actually need to do (step-by-step)

Use this as an implementation runbook you can assign and track.

1) Define monitored zones and “CUI physical boundary”

Deliverable: a short “Physical Access Monitoring Scope” that names:

  • Controlled areas (e.g., suite perimeter, secure room, lab).
  • Critical supporting spaces (server room, MDF/IDF closets, storage rooms).
  • Assets in those spaces (workstations used for CUI, printers handling CUI, file cabinets, removable media storage). 1

Practical tip: Start with a marked floor plan and a simple table: area, access method, monitoring method, evidence source, owner.

2) Inventory access paths and monitoring points

Identify every route a person can take to reach the monitored zones:

  • Exterior doors, suite doors, internal doors, stairwells, loading docks.
  • Any door that bypasses reception or normal controls (common in multi-tenant buildings). 1

Map each path to at least one monitoring control:

  • Badge system logs (who/when/door/result).
  • Visitor management records.
  • Security guard logs (if applicable).
  • Door alarms (forced/open-too-long).
  • Camera coverage for choke points where tailgating risk is high or where badges alone won’t show who actually entered. 1

3) Implement event capture you can actually retrieve

Monitoring fails operationally when evidence exists but is not retrievable, searchable, or retained.

Minimum operational expectations to set internally:

  • Badges: unique IDs, no shared badges, terminated staff promptly removed, and logs exportable on demand.
  • Visitors: sign-in/out, identity verification method, host name, escort requirement, and badge return.
  • Keys/locks: if keys are used, track issuance, returns, and periodic reconciliation; keys create weaker monitoring evidence than electronic access logs, so compensate with procedural controls and logs. 1

4) Define “what gets reviewed” and “what triggers action”

Write a short review procedure that answers:

  • What signals are reviewed (badge exceptions, after-hours entries, door forced alarms, visitor anomalies).
  • Who reviews them (Facilities/Security/IT), who is backup, and what tools are used.
  • What constitutes an anomaly and how it’s escalated into incident handling. 1

Common, workable triggers:

  • Access to CUI areas by a disabled badge.
  • Repeated badge failures at secure doors.
  • After-hours access without a ticket/approved change window.
  • Visitors present without an employee host or without sign-out.
  • Evidence of tailgating (camera observation, guard report, door held open alarm). 1

5) Operationalize third-party physical access

For third parties with physical access (maintenance, ISP, fire alarm vendor, copier service):

  • Require scheduling/ticketing for non-emergency work.
  • Require escort in controlled areas unless explicitly approved.
  • Record arrival/departure and areas accessed.
  • Capture proof: visitor logs, work orders, escort attestation, and any badge assignment. 1

6) Build a recurring evidence cadence (assessment-ready)

This requirement is commonly failed due to “no proof of ongoing monitoring.” Set an internal cadence and stick to it:

  • Collect access log exports or system reports.
  • Collect visitor logs.
  • Document reviews and exceptions, even when there are none. 1

Daydream (as a workflow layer) is useful here because it can map 03.10.02 to owners, set recurring evidence tasks, and preserve review attestations alongside the underlying logs so you can answer assessor questions without a scramble. 1

Required evidence and artifacts to retain

Keep artifacts in a form you can produce quickly, with clear ownership.

Core artifacts (most organizations):

  • Physical security/access control policy section that covers monitoring expectations and responsibilities. 1
  • Scope definition: list of monitored areas and access points (floor plan markup or controlled area register). 1
  • Badge access control system reports/log exports for controlled doors. 1
  • Visitor management logs (electronic preferred; paper scanned if needed). 1
  • Review records: dated evidence of review, findings, and follow-up actions. 1
  • Incident tickets for physical access anomalies (door forced, lost badges, unescorted visitors). 1

If you use cameras:

  • Camera placement map for controlled entry points.
  • Retention configuration and access controls for footage.
  • Footage request log (who accessed footage, why, when). 1

Common exam/audit questions and hangups

Expect questions framed around “show me”:

  1. “What areas are considered controlled for CUI, and why?”
    Hangup: no documented physical boundary; teams answer verbally but cannot prove consistency. 1

  2. “Show access logs for the last period and your review evidence.”
    Hangup: logs exist, but reviews are ad hoc or undocumented. 1

  3. “How do you detect tailgating or door propping?”
    Hangup: badge logs alone don’t show tailgating; you need compensating controls (alarms, guards, camera coverage, reception design, or procedural checks). 1

  4. “How do you monitor third-party physical access?”
    Hangup: contractors sign in at building lobby but roam without local logs tied to your controlled areas. 1

Frequent implementation mistakes (and how to avoid them)

Mistake Why it fails Fix
“We have locks, so we’re done.” Locks restrict; they don’t create reviewable monitoring records. Add logs (badges/visitors/alarms) and keep review evidence. 1
Monitoring exists but nobody reviews it. Assessors expect operational effectiveness, not just tooling. Assign an owner, set a cadence, record findings. 1
Visitor logs are incomplete or inconsistent. Untracked visitors are unmonitorable access. Standardize check-in/out, host responsibility, escort rules. 1
Third-party access is “handled by Facilities” with no records. Creates blind spots for CUI areas. Require work orders, escort logs, and sign-in records tied to areas accessed. 1
Camera footage exists but retention/access is unmanaged. Footage can’t be produced or may be overexposed internally. Define retention, restrict access, log requests. 1

Risk implications (why operators care)

Physical access is a direct path to compromise: device theft, rogue hardware insertion, access to printed CUI, or tampering with network infrastructure. If monitoring is weak, you lose investigation capability after an incident and cannot credibly assert CUI protections during customer or government reviews. 1

A practical 30/60/90-day execution plan

No enforcement timelines are provided in the source catalog, so treat the phases below as an internal execution plan, not a regulatory deadline. 1

First 30 days (stabilize scope and evidence)

  • Name the control owner(s): Facilities/Security for physical controls, GRC for evidence coordination. 1
  • Define controlled areas and access points; produce a floor plan markup and controlled area register. 1
  • Confirm what logs exist today (badge system, visitor process, door alarms, camera system) and whether you can export them. 1
  • Draft the monitoring review procedure (what gets checked, by whom, how exceptions are handled). 1

Days 31–60 (implement monitoring operations)

  • Standardize visitor management: required fields, escort expectations, badge return, and records storage. 1
  • Tune badge system reports for exception monitoring (after-hours, denied attempts, disabled users). 1
  • Implement anomaly escalation into incident handling (ticket template, notification list, triage steps). 1
  • Start evidence collection in Daydream (or your GRC system) as recurring tasks with owners and due dates, and attach the first cycle of records. 1

Days 61–90 (prove effectiveness and close gaps)

  • Run tabletop tests: simulate a lost badge, an unauthorized access attempt, or an unescorted visitor, then verify records and response. 1
  • Review access lists and remove stale privileges; confirm terminations are reflected in badge access promptly. 1
  • Validate that logs and visitor records are retained and retrievable, and that reviews are consistently documented. 1
  • Document deviations and compensating controls for constraints (shared building entrances, landlord-controlled cameras). 1

Frequently Asked Questions

Does 03.10.02 require CCTV cameras?

NIST SP 800-171 Rev. 3 states you must monitor physical access, but the excerpt provided does not mandate cameras specifically. Use cameras where badge logs and procedures cannot reliably detect tailgating or confirm who entered. 1

We’re in a multi-tenant building. Is lobby security enough?

Lobby controls help, but you still need monitoring for your controlled areas and the paths into them. Document what the landlord covers, then add suite-level badge/visitor monitoring and your own review records. 1

How do we handle cleaning crews and maintenance contractors?

Treat them as third parties with in-scope physical access. Require sign-in/out, define escort rules for controlled areas, and retain work orders or tickets that show where and when they had access. 1

What evidence do assessors usually ask for first?

They typically start with your defined controlled areas and recent access/visitor logs plus proof of review. If you can produce those quickly with a consistent cadence, the control conversation goes smoothly. 1

We use mechanical keys for a server closet. Can we still meet the requirement?

Yes, but keys produce weaker monitoring records than electronic access. Compensate with strict key issuance logs, periodic reconciliation, and procedural monitoring (e.g., escorted access with a ticket) tied to review evidence. 1

How should we document “monitoring reviews” so they count?

Keep a dated review record that states what was reviewed, the time period, exceptions found, and follow-up actions or “no exceptions.” Attach supporting reports (badge/visitor/alarm summaries) to the review record in your system of record. 1

Footnotes

  1. NIST SP 800-171 Rev. 3

Frequently Asked Questions

Does 03.10.02 require CCTV cameras?

NIST SP 800-171 Rev. 3 states you must monitor physical access, but the excerpt provided does not mandate cameras specifically. Use cameras where badge logs and procedures cannot reliably detect tailgating or confirm who entered. (Source: NIST SP 800-171 Rev. 3)

We’re in a multi-tenant building. Is lobby security enough?

Lobby controls help, but you still need monitoring for your controlled areas and the paths into them. Document what the landlord covers, then add suite-level badge/visitor monitoring and your own review records. (Source: NIST SP 800-171 Rev. 3)

How do we handle cleaning crews and maintenance contractors?

Treat them as third parties with in-scope physical access. Require sign-in/out, define escort rules for controlled areas, and retain work orders or tickets that show where and when they had access. (Source: NIST SP 800-171 Rev. 3)

What evidence do assessors usually ask for first?

They typically start with your defined controlled areas and recent access/visitor logs plus proof of review. If you can produce those quickly with a consistent cadence, the control conversation goes smoothly. (Source: NIST SP 800-171 Rev. 3)

We use mechanical keys for a server closet. Can we still meet the requirement?

Yes, but keys produce weaker monitoring records than electronic access. Compensate with strict key issuance logs, periodic reconciliation, and procedural monitoring (e.g., escorted access with a ticket) tied to review evidence. (Source: NIST SP 800-171 Rev. 3)

How should we document “monitoring reviews” so they count?

Keep a dated review record that states what was reviewed, the time period, exceptions found, and follow-up actions or “no exceptions.” Attach supporting reports (badge/visitor/alarm summaries) to the review record in your system of record. (Source: NIST SP 800-171 Rev. 3)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream