03.10.02: Monitoring Physical Access

NIST SP 800-171 Rev. 3 requirement 03.10.02 means you must continuously monitor physical access to facilities and areas where CUI systems, media, or supporting infrastructure exist, and be able to detect, investigate, and respond to unauthorized or anomalous entry. Operationalize it by defining monitored physical boundaries, instrumenting them (badges/logs/cameras/visitor controls), and running routine reviews with retained evidence. ¹

Key takeaways:

• Define the “CUI physical boundary” first; monitoring only works if scope is explicit in your SSP. ¹
• Treat monitoring as an operating control: collect logs, review them on a schedule, investigate anomalies, and document outcomes. ²
• Evidence quality is the make-or-break point: you need retained records that prove monitoring happened and issues were closed. ²

“Monitoring physical access” is easy to over-simplify into “we have badge readers.” Assessors usually look for something more operational: defined monitored areas, a method to detect access events, a way to correlate events to authorized individuals, and a repeatable review-and-response loop that produces evidence.

For most federal contractors and other nonfederal organizations handling CUI, the practical challenge is that physical access controls live outside the security team. Facilities manages badges, Security runs the guard desk, IT owns cameras in server rooms, HR onboards and offboards people, and business units sponsor visitors and contractors. Requirement 03.10.02 forces you to make those moving parts behave like a single control with clear boundaries, ownership, review cadence, and incident handling.

This page translates 03.10.02 into a requirement you can assign, test, and defend in an assessment. It focuses on rapid operationalization: what to implement, who needs to do it, what evidence to retain, and where teams commonly fail under audit expectations. Primary sources are NIST SP 800-171 Rev. 3 and NIST SP 800-171A assessment guidance. ³

Regulatory text

Excerpt (as provided): “NIST SP 800-171 Rev. 3 requirement 03.10.02 (Monitoring Physical Access).” ¹

What the operator must do

Because the excerpt provided here is a short label rather than the full control statement, treat 03.10.02 as a concrete objective: you must monitor physical access to the facilities/areas that contain or support CUI processing, storage, or transmission, and you must be able to produce evidence that monitoring is functioning and acted on. Map this objective into your System Security Plan (SSP), define how you assess it, and retain operational proof aligned to assessment expectations. ³

A defensible implementation has three parts:

1. Defined scope (which locations/rooms/racks/cages are in-bounds for CUI physical protection).
2. Instrumentation (mechanisms that record access and/or provide surveillance).
3. Operations (routine review, anomaly handling, and corrective action with documentation). ²

Plain-English interpretation (what 03.10.02 means)

You need to know who entered sensitive areas, when they entered, and whether the entry made sense based on authorization and business context. If you cannot reconstruct physical access history for a CUI-relevant space, you will struggle to prove you monitored access, and you will struggle to support incident response if CUI is lost or systems are tampered with. ³

Monitoring does not require a single technology stack. It requires:

• A monitored boundary (door, cage, cabinet, suite, floor, or secure room).
• Event capture (badge logs, guard logs, visitor logs, camera footage, alarm events).
• Review and response documentation (tickets, investigation notes, corrective actions). ²

Who it applies to

Entity scope

• Federal contractors and nonfederal organizations handling CUI on nonfederal systems. ¹

Operational context scope (what environments get pulled in)

This requirement usually applies wherever CUI systems or CUI media exist, including:

• Office suites with CUI workstations or printers.
• Server rooms, network closets, and telecom rooms that host CUI systems.
• Secure storage areas for removable media, backups, or paper CUI.
• Third-party sites, colocation, or managed facilities if they are part of your CUI system boundary (handled through third-party obligations and evidence collection). ¹

What you actually need to do (step-by-step)

Step 1: Define the “CUI physical boundary” and ownership

1. List in-scope sites and spaces: building(s), floors, suites, server rooms, cages, locked cabinets.
2. Assign an accountable control owner (often Facilities Security + ISMS/GRC shared ownership).
3. Document boundaries in your SSP with enough specificity that an assessor can walk the space and test controls. ¹

Deliverable: SSP control statement for 03.10.02 that names locations, technologies, responsible teams, and review expectations. ¹

Step 2: Implement monitoring mechanisms per space type

Use a “space-by-space” approach:

Space type	Minimum monitoring expectation	Typical evidence
Office suite with CUI	Controlled entry + recorded access events	Badge access logs; visitor log
Server room / network closet	Controlled entry + stronger monitoring	Badge logs; camera coverage; access list
CUI media storage (cabinet/safe)	Controlled access + check-in/out traceability	Media custody log; key control log
Third-party facility	Contracted monitoring + evidence access	SOC reports; access logs excerpts; attestation

Your standard can permit compensating controls (for example, guard log in lieu of badge events), but you must document why it is equivalent and how you review it. ²

Step 3: Establish a monitoring review-and-response loop

Monitoring is not “set and forget.” Build an operating rhythm:

1. Collect access events (badge reports, visitor sign-in, guard desk logs, alarm events).
2. Review events for anomalies (after-hours entries, repeated denied access, access by terminated staff, “door held open” patterns if you capture those events).
3. Investigate anomalies via a ticketed workflow (physical security incident ticket, HR case, or IT security incident depending on the scenario).
4. Remediate (disable badge, retrain staff, fix door hardware, update access lists).
5. Record outcomes and retain evidence. ²

Practical tip: define “anomaly categories” up front, so reviewers don’t improvise. Examples: access outside business hours, access to a restricted room without a change request, repeated failed attempts, visitor unescorted in restricted area, badge not returned after offboarding.

Step 4: Align monitoring with joiner/mover/leaver and third-party processes

Common failure mode: monitoring exists, but authorization data is stale.

• Tie badge provisioning to HR and contractor onboarding.
• Require prompt badge disablement on termination.
• For third parties (vendors/contractors), require a sponsor and time-bound access with visitor/contractor logs retained. ²

Step 5: Prove it works via periodic testing

Run simple tests that generate evidence:

• Attempt to access a restricted space with an unauthorized badge and document expected denial.
• Pull an access log sample and show the review notes and closure tickets.
• Validate camera retention can support investigations (retention length is your policy choice; document it and meet it consistently). ²

Step 6: Track gaps in a POA&M

If you have spaces with weak monitoring (legacy locks, shared badges, missing logs), put them in a POA&M with:

• Gap description, risk rating, compensating control, target completion date, and closure evidence requirements. ¹

Required evidence and artifacts to retain

Assessors want artifacts that show control design and operation. Retain:

• SSP excerpts: defined physical boundary, control statement, responsible roles, and monitored mechanisms. ¹
• Physical access control policy/standard: visitor rules, escort rules, badge issuance/return, exceptions, and monitoring review requirements. ²
• Access authorization list for each restricted space (by role or named individuals) plus approval records.
• Badge/access logs (exports or screenshots) showing entries and denied attempts for in-scope doors.
• Visitor logs and contractor access records (including sponsor and escort where required).
• Monitoring review records: sign-offs, annotated log reviews, tickets opened, investigation notes, and closure evidence. ²
• POA&M entries for known deficiencies and closure validation artifacts. ¹
• Third-party artifacts where facilities are outsourced: contractual clauses, attestations, and samples of access monitoring evidence provided to you.

Evidence rule of thumb: store enough raw data to reconstruct a narrative from “entry event” → “reviewed by” → “was it authorized” → “if not, what happened next.” ²

Common exam/audit questions and hangups

Expect these lines of questioning:

1. “Show me the boundary.” Which rooms/areas are in scope for CUI? Can you map them to the SSP? ¹
2. “How do you monitor?” Badges, guards, cameras, alarms? What generates records?
3. “Who reviews logs, and where is the proof?” They will ask for samples and reviewer names. ²
4. “What happens on an anomaly?” They will want tickets, investigations, and corrective actions.
5. “How do you handle contractors and visitors?” Sponsor, time-bound access, and escorts where required.
6. “How do you ensure access removal?” Termination and transfer handling tied to badges and keys.

Hangup to avoid: saying “Facilities owns it” without being able to produce evidence. For CUI assessments, “owned elsewhere” is still your control obligation. ²

Frequent implementation mistakes (and how to avoid them)

1. Undefined scope (“all offices”)

   • Fix: write a precise list of in-scope sites/spaces and keep it current in the SSP. ¹

2. Monitoring exists, reviews don’t

   • Fix: set an internal review schedule, assign a named reviewer, and keep review records with outcomes. ²

3. No linkage between access rights and authorization

   • Fix: require approvals for restricted-space access and retain the approval trail.

4. Shared badges, shared keys, propped doors

   • Fix: prohibit shared credentials; add door hardware checks; treat exceptions as POA&M items with compensating controls until fixed. ¹

5. Third-party physical security not governed

   • Fix: contract for monitoring expectations and require evidence delivery (log samples, attestations, incident notification) as part of third-party due diligence and ongoing monitoring.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so you should treat this primarily as an assessment and contractual compliance risk for CUI programs. Weak physical monitoring increases the chance that you cannot determine scope during an incident (lost media, tampering, unauthorized access), and it commonly drives assessment findings because evidence is missing or ownership is unclear. ²

Practical 30/60/90-day execution plan

First 30 days (stabilize scope + evidence)

• Confirm in-scope locations and restricted areas tied to CUI systems/media; update SSP control language for 03.10.02. ¹
• Identify log sources per door/area (badge system reports, guard logs, visitor system, cameras).
• Assign reviewers and define anomaly categories and escalation paths.
• Start saving monthly evidence packets (log export + review notes + any tickets). ²

Days 31–60 (operationalize reviews + close obvious gaps)

• Run the first formal review cycle; open/close tickets for anomalies and record outcomes. ²
• Align HR offboarding and contractor termination to badge disablement; test a sample termination scenario and document results.
• Add POA&M items for monitoring gaps (doors without logging, missing visitor records, incomplete camera coverage) with owners and closure criteria. ¹

Days 61–90 (make it assessable)

• Perform an internal assessment against NIST SP 800-171A-style expectations for 03.10.02; correct evidence gaps. ²
• Tabletop one physical access anomaly: show detection, triage, investigation, and corrective action with artifacts.
• For third-party facilities, collect their monitoring artifacts or attestations and store them with your CUI evidence set.

Operational note: Daydream can help you keep 03.10.02 tied to SSP statements, control owners, recurring evidence requests, and POA&M closure checks, so the control stays “alive” between assessments rather than being rebuilt at audit time. ³

Frequently Asked Questions

Does “monitoring physical access” require cameras everywhere?

No. The requirement is outcome-driven: you must detect and reconstruct access to CUI-relevant areas using logs and processes you can evidence. Cameras can strengthen monitoring for high-risk spaces like server rooms, but badges and visitor controls can also satisfy monitoring if operated and reviewed. ²

If a building has a lobby badge reader, is that enough?

Usually not by itself. You need monitoring at the boundary that protects CUI systems or media, which may require additional controls for server rooms, network closets, or storage areas inside the building. Document the boundary and the monitored points in your SSP. ¹

How do we handle physical access monitoring in a shared office or coworking space?

Define the smallest defensible CUI boundary you control (locked suite, cage, cabinet) and monitor access there. For what you do not control, treat it as a risk and address it via compensating controls and a POA&M until you can reduce exposure. ¹

What evidence is most persuasive to an assessor?

A time-bounded sample that includes raw access logs, documented review notes, and at least one anomaly handled through a ticket to closure. Pair that with SSP language that clearly states who does the review and what systems generate the records. ²

Do we need to monitor access to network closets if they don’t store CUI files?

If the closet contains infrastructure that supports CUI system operation (switches, routers, security appliances), treat it as in scope because physical tampering can affect confidentiality and integrity. Document your rationale and monitoring approach. ¹

Our third party manages the building security system. How do we meet 03.10.02?

Put monitoring and evidence obligations in the contract (or equivalent agreement), then collect periodic artifacts (log samples, incident notices, access procedures) and store them with your compliance evidence. You still need to show monitoring is happening for your CUI boundary. ²

Footnotes

1. NIST SP 800-171 Rev. 3

2. NIST SP 800-171A

3. NIST SP 800-171 Rev. 3; Source: NIST SP 800-171A