03.10.07: Physical Access Control

NIST SP 800-171 Rev. 3 requirement 03.10.07 (Physical Access Control) requires you to prevent unauthorized physical access to the facilities, rooms, and physical assets that store, process, or protect CUI, and to prove those controls operate. Operationalize it by defining physical security boundaries, enforcing badge/key and visitor controls, monitoring and logging access, and keeping reviewable evidence tied to your SSP and POA&M ¹.

Key takeaways:

• Define your physical security boundary for CUI systems first, then enforce access rules consistently across people, places, and assets.
• Treat physical access as an auditable control: logs, approvals, reviews, and exceptions must be retained and mapped to the SSP ¹.
• Close gaps through a POA&M with owners and validation evidence, not “planned” statements ¹.

03.10.07: Physical Access Control is where many programs fail quietly: the cybersecurity controls look good on paper, but the building, server room, wiring closet, or secure printing area stays “informal.” For CUI environments, assessors expect the physical layer to match your system boundary and your SSP narrative. If your SSP says the CUI enclave is restricted, your badging rules, visitor process, and logging need to make that restriction real and provable ¹.

For a CCO or GRC lead, the fastest path is to treat physical access control as a requirement you can decompose into (1) scope, (2) mechanisms, (3) operations, and (4) evidence. Scope defines which locations and assets are inside the CUI boundary. Mechanisms include locks, badges, escort rules, and monitoring. Operations cover how access is granted, changed, revoked, and reviewed. Evidence is what you will show an assessor using NIST SP 800-171A-style assessment expectations: artifacts that demonstrate the control is implemented and functioning ².

This page gives you requirement-level steps, the artifacts to retain, common audit hangups, and a phased execution plan you can run with Facilities, IT, and Security without turning it into a multi-quarter rewrite.

Regulatory text

Excerpt (as provided): “NIST SP 800-171 Rev. 3 requirement 03.10.07 (Physical Access Control).” ¹

Operator interpretation (what you must do):
You must control physical entry to the spaces and physical assets that support CUI (work areas, network/server rooms, storage, secure output devices), so only authorized individuals can access them, and you must be able to demonstrate that control operates through defined procedures and retained evidence ¹. In practice, assessors will look for clear boundaries, enforceable rules, and records that show access is managed over time, not just configured once ².

Plain-English interpretation (requirement intent)

Physical Access Control means:

• You know exactly where CUI can be accessed physically (buildings, rooms, cages, cabinets, devices).
• Only approved people can get into those areas or touch those assets.
• Visitors and third parties are handled predictably (logged, escorted where required).
• Access changes are controlled (joiners/movers/leavers).
• You can prove it with logs, reviews, and approvals tied back to your SSP and POA&M ¹.

Think “prevent, detect, and evidence.” Prevent unauthorized entry, detect anomalies through monitoring/logging, and retain evidence that will survive assessment scrutiny ².

Who it applies to

Entities: Federal contractors and other nonfederal organizations that handle CUI in nonfederal systems ¹.

Operational contexts where 03.10.07 becomes “real work”:

• A corporate office where employees handle CUI on laptops or VDI.
• A data center, server room, network closet, or cage hosting CUI systems.
• Any site with physical media handling: printing, scanning, mailing, removable media storage, secure destruction.
• Shared spaces: co-working offices, multi-tenant buildings, shared data centers, subcontractor facilities, and any location where third parties may have physical presence.

Boundary note: You are not required to secure every square foot of a campus the same way. You are required to secure the physical boundary where CUI can be accessed, stored, processed, or transmitted through supporting infrastructure, and to explain that boundary in the SSP ¹.

What you actually need to do (step-by-step)

1) Define the physical boundary for CUI

1. Identify CUI access points: rooms, cabinets, racks, printers, mailrooms, secure bins, and endpoints that can store CUI.
2. Document boundary decisions in the SSP: what is in-scope, what is out-of-scope, and why ¹.
3. Assign control owners: typically Facilities/Security for doors and cameras, IT for racks and endpoint controls, and GRC for policy/evidence.

Deliverable: “CUI Physical Boundary Map” (diagram + room list + asset list) referenced in the SSP.

2) Establish authorization rules for physical access

1. Define roles that may need access (IT admin, program staff, visitors, custodial, shipping/receiving, third-party technicians).
2. Set approval requirements: who can authorize access and under what conditions.
3. Specify escort and supervision rules for non-employees and visitors.

Tip: If you cannot enforce an exception process, remove the exception. Auditors will ask how exceptions are approved, time-bound, and reviewed.

3) Implement physical access mechanisms

Select mechanisms that match the boundary and threat model:

• Perimeter controls: badge readers, staffed reception, locked doors, turnstiles (as applicable).
• Interior controls: locked suites, server room locks/badge readers, locked racks/cabinets.
• Asset-level controls: cable locks, secure storage for removable media, secure print release where CUI is printed.
• Monitoring/detection: cameras in sensitive areas, door alarms, or other monitoring appropriate for the environment.

You don’t need every control type everywhere. You need a coherent set of controls that enforce your documented boundary and can be evidenced ¹.

4) Operationalize joiner/mover/leaver and visitor processes

1. Joiners: require manager request and Security/Facilities provisioning; tie badge access to role and location.
2. Movers: changes in job role or location trigger an access review and update.
3. Leavers: deprovision physical access promptly on termination; document the trigger and confirmation.
4. Visitors and third parties: log entry/exit, validate identity, issue visitor badge, enforce escort rules where required, and retain logs.

This is where programs break: the door system exists, but provisioning and revocation are manual and inconsistently recorded.

5) Log, review, and test the control

Build a lightweight operating rhythm:

• Periodic review of access lists for sensitive areas.
• Spot checks that doors latch/lock, badge readers work, and visitor logging is followed.
• Review anomalies (after-hours access, repeated denied access, propped doors where monitored).

NIST SP 800-171A is the practical companion here: it frames how assessors test whether controls are implemented and operating ².

6) Tie everything to SSP and POA&M (make it assessable)

• Add an SSP control statement for 03.10.07 that names: boundary, mechanisms, roles, and evidence sources ¹.
• Track gaps in the POA&M with: owner, target date, risk rating, and closure validation evidence ¹.

How Daydream fits (practitioner use case): Use Daydream to map 03.10.07 to specific facilities, system components, and control owners, then run recurring evidence collection (badge access reviews, visitor logs, exceptions) with POA&M-tracked remediation and closure proof ¹.

Required evidence and artifacts to retain

Maintain artifacts that answer: “What is the boundary, who has access, how is it granted/removed, and where is proof?”

Core artifacts

• SSP section/control narrative for 03.10.07 with boundary definition and responsible parties ¹.
• Physical boundary diagram and in-scope location/asset inventory.
• Physical access policy/standard (badges/keys, visitors, escorts, third-party access).
• Access request/approval records (ticketing exports or forms).
• Current access roster for sensitive areas (badges/keys issued; group memberships if integrated).
• Visitor logs and visitor badge issuance procedure.
• Periodic access review records (sign-offs, findings, and remediation).
• Termination/deprovision evidence (HR trigger, badge disable confirmation).
• Exception register (temporary access approvals, expirations, compensating controls).
• POA&M items and closure evidence for gaps ¹.

Common exam/audit questions and hangups

Assessors commonly probe these points ²:

1. “Show me the boundary.” Which rooms and assets are in scope, and how does that match the SSP?
2. “Prove only authorized people can enter.” Provide rosters and the approval chain.
3. “How do you handle visitors and third parties?” Logs, identity checks, escort rules, retention.
4. “What happens on termination?” Evidence of timely badge/key deactivation.
5. “Do you review access periodically?” A record of review actions and outcomes.
6. “How do you handle shared facilities?” Contracts/agreements, compensating controls, or segmentation.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails in assessment	Fix
SSP says “restricted area,” but the door is routinely propped or shared	Boundary and reality mismatch	Update procedures, add monitoring, or redefine boundary to what you can enforce 1.
Badge system exists, but access grants are informal	No approval trail	Require ticket-based approvals and retain records.
Visitor log is optional	Uncontrolled third-party presence	Make visitor processing mandatory at the boundary; train reception and site leads.
No termination linkage to physical access	Orphaned badges/keys	Tie HR offboarding to Facilities/Security workflow; sample test terminations.
Evidence scattered across Facilities and IT	Slow, inconsistent audit responses	Centralize evidence collection and map it to 03.10.07 in your GRC system 1.

Risk implications (why assessors care)

Physical access gaps turn cybersecurity controls into paper controls. If an attacker or unauthorized insider can enter a server room, access unlocked endpoints, or remove media, logical controls may not prevent CUI exposure. Physical access control also intersects with insider risk, third-party risk, and incident response: you need to reconstruct who was where, when, and with what authorization using retained records ¹.

Practical execution plan (30/60/90-day)

You asked for speed. Use phases to avoid calendar commitments that won’t match your site complexity.

First 30 days (Immediate stabilization)

• Define and document the CUI physical boundary and owners in the SSP ¹.
• Inventory in-scope rooms and assets (server rooms, secure storage, printers).
• Standardize access requests and approvals through one workflow (ticketing or form).
• Start collecting evidence now: current access rosters, visitor logs, termination samples.

By 60 days (Mechanisms and operating rhythm)

• Ensure all in-scope areas have enforceable entry controls (locks/badges/keys with accountability).
• Implement mandatory visitor handling at the boundary (log, badge, escort rules).
• Establish periodic access reviews for sensitive areas; record findings and actions.
• Create an exceptions register and require time-bounded approvals.

By 90 days (Assessment-ready maturity)

• Run an internal assessment using NIST SP 800-171A-style expectations: interview, examine artifacts, test a sample of access grants/revocations ².
• Close top gaps via POA&M with evidence-backed validation ¹.
• Make evidence collection routine: store artifacts in a consistent repository and link each artifact to 03.10.07 in your SSP/control library.

Frequently Asked Questions

Does 03.10.07 apply if all our CUI is in the cloud?

Yes, if people can access CUI from an office or site, the physical environment that enables that access remains relevant. Scope the physical boundary to where CUI can be accessed (work areas, endpoint storage, printing) and document it in the SSP ¹.

What if we are in a shared office or co-working space?

Define a defensible boundary you can control, such as a locked suite, a locked room, or secured cabinets for media and devices. Document compensating controls and any reliance on building security in the SSP, and retain evidence you can access during an assessment ¹.

Do we need cameras to meet physical access control?

NIST SP 800-171 Rev. 3 does not mandate a specific technology in the excerpt provided. Choose controls that enforce your boundary; if you use monitoring, keep evidence of how it supports detection and investigations ¹.

How detailed should our visitor logs be?

Detailed enough to reconstruct who entered, when, why, who approved it, and whether escort rules were followed. Keep logs consistently and retain them in a place you can produce during an assessment ².

How do we handle third-party technicians who need server room access?

Treat them as time-bound authorized visitors unless they are formally authorized personnel with documented approvals. Require identity verification, logging, escort or supervision rules as needed, and retain the approval and access records ¹.

What evidence is most persuasive to an assessor?

A clear SSP boundary description plus operational records: access approvals, rosters, visitor logs, periodic reviews, and proof of revocation for leavers. Assessors test for “implemented and operating,” which depends on consistent artifacts ².

Footnotes

1. NIST SP 800-171 Rev. 3

2. NIST SP 800-171A