03.10.07: Physical Access Control

Physical access is an easy control to “assume” is covered by building security, and a hard control to defend in an assessment if your CUI footprint is spread across shared offices, colocations, labs, and remote work. The 03.10.07: physical access control requirement in NIST SP 800-171 Rev. 3 sits squarely in that gap: you are expected to control who can physically reach the systems and media that handle CUI, and to show that the control works in practice (NIST SP 800-171 Rev. 3).

For most federal contractors and other nonfederal organizations handling CUI, the fastest path is to treat physical access control like an identity system with a scope statement. First, declare what locations and assets are “in scope for CUI.” Then apply standard mechanisms (badging, locks, escort rules, surveillance, and logging), backed by approvals, periodic review, and documented exceptions.

This page is written for a Compliance Officer, CCO, or GRC lead who needs to operationalize the requirement quickly, coordinate Facilities/IT/Security, and produce audit-ready evidence with minimal friction. Where teams stall, it’s rarely on buying hardware. It’s on defining boundaries, setting procedures people follow, and keeping reliable records.

Regulatory text

Provided excerpt: “NIST SP 800-171 Rev. 3 requirement 03.10.07 (Physical Access Control).” (NIST SP 800-171 Rev. 3)

Operator interpretation (what you must do):

• Establish physical access controls proportionate to your CUI environment so unauthorized individuals cannot gain entry to areas where CUI systems and media exist (NIST SP 800-171 Rev. 3).
• Make physical access control operational, not theoretical: it must be implemented, followed by staff and third parties, and supported by evidence you can produce during an assessment (NIST SP 800-171 Rev. 3).

Because the excerpt provided here is high-level, treat 03.10.07 as a requirement to (1) define physical scope for CUI, (2) restrict entry to that scope to authorized individuals, and (3) monitor and document the control’s operation for assessment readiness (NIST SP 800-171 Rev. 3).

Plain-English requirement: what 03.10.07 means in practice

You need a defensible answer to two questions:

1. Where could someone physically touch CUI or the systems that handle it?
   Examples: an office suite, a secure room, a lab bench with test devices, a server closet, a locked cabinet with backup media, a cage in a colocation facility.

2. What stops the wrong person from getting there, and how do you prove it?
   Examples: badge access lists, keys/combination control, visitor sign-in and escort, camera coverage, door alarms, security guard procedures, and periodic review of who has access.

A common assessment failure mode: “We have badge access to the building.” That may be insufficient if cleaning crews, other tenants, or after-hours visitors can reach a server closet or unlocked cabinets that contain CUI assets. Another failure mode: controls exist, but you can’t produce access lists, visitor records, or exception approvals.

Who it applies to

Entity types

• Federal contractors and nonfederal organizations handling CUI in nonfederal systems (NIST SP 800-171 Rev. 3).

Operational contexts that commonly fall in scope

• Corporate offices with CUI-processing endpoints.
• Engineering labs and manufacturing areas with controlled designs or test data.
• On-prem server rooms, network closets, and secure print rooms.
• Colocation cages and managed data center footprints.
• Offsite storage for backups, paper records, and removable media.
• Third-party locations where your staff works on CUI (customer site, partner lab). Treat as a third-party dependency and capture the assurance.

What you actually need to do (step-by-step)

Use this workflow to implement 03.10.07 quickly and make it auditable.

Step 1: Define the physical CUI boundary (scope statement + map)

• Inventory where CUI is processed, stored, or transmitted in physical terms: rooms, closets, cabinets, racks, safes, and media storage.
• Produce a simple “CUI Physical Boundary” document:
  • Site list (address + floor/area)
  • In-scope rooms/areas
  • In-scope asset types (servers, network gear, file cabinets, backup tapes/drives)
  • Responsible owner (Facilities, IT, Security)

Practical tip: If your CUI environment is small, shrink the boundary. A single locked room with controlled endpoints is easier to defend than an entire open office.

Step 2: Set authorization rules (who can enter, when, and why)

• Define authorized roles (IT admins, engineers, Facilities, Security, approved third-party technicians).
• Define access levels (building, suite, server room, cage, media cabinet).
• Define approval authority (e.g., Facilities grants building badge access; IT/Security approves server room access).
• Define access review cadence for each level (your choice; document it as a requirement in procedure).

Deliverable: a written Physical Access Control Procedure aligned to 03.10.07 (NIST SP 800-171 Rev. 3).

Step 3: Implement physical controls by area type (use a control matrix)

Create a matrix that maps each in-scope area to required safeguards.

Area type	Minimum expected controls	Evidence to retain
Office suite with CUI endpoints	Controlled entry (badge/keys), visitor process, after-hours policy	Badge roster, visitor logs, policy acknowledgement
Server room / network closet	Restricted list, locked door, logging/monitoring, break-glass procedure	Access list approvals, door access logs, exception tickets
Media storage (paper/removable)	Locked cabinets/safe, check-in/out rules, disposal/shred process	Custody logs, cabinet assignment list, destruction records
Colocation cage	Provider controls + your authorized list + escort rules	Colo access authorizations, visit tickets, provider attestations

Step 4: Build visitor and third-party handling into daily operations

Your procedure should cover:

• Visitor identification and sign-in
• Badge labeling (visitor vs employee)
• Escort requirement for non-authorized visitors
• Restrictions on photography, device connection, and unattended access
• Third-party technicians: pre-approval, verification at arrival, and proof of work completion

If a third party must access a CUI area (e.g., HVAC vendor entering a server room), treat that event as controlled access with a record trail.

Step 5: Monitoring and logging (right-sized to your environment)

Decide what “monitoring” means for each area:

• Electronic access control logs for badge doors.
• Key issuance logs for mechanical keys.
• Camera coverage for entrances to restricted rooms (where feasible and permitted by policy).
• Guard logs if you use security staffing.

Then ensure you can export/retain records and correlate them to approvals.

Step 6: Periodic reviews and exception management

Assessors will probe for drift: employees leave, roles change, rooms get repurposed.

• Run a recurring review of:
  • Badge access lists to restricted areas
  • Key holders and combinations
  • Visitor log completeness
  • Door status (propped doors, broken locks)
• Establish an exception process:
  • Business justification
  • Compensating controls (escort, limited hours, temporary access)
  • Time-bound approval and closure

Step 7: Evidence packaging for assessment readiness

Create a single evidence folder per site/area with a consistent naming scheme:

• Scope map and boundary statement
• Procedures and training/acknowledgements
• Access lists + approvals
• Logs (sampled period) + review sign-off
• Visitor logs (sampled period)
• Exception tickets and resolutions

Daydream (as a workflow, not a hardware product) fits well here: track each site/area as an “in-scope object,” assign owners, schedule recurring evidence pulls, and keep the narrative consistent between policy, implementation, and artifacts.

Required evidence and artifacts to retain

Keep artifacts that prove design and operation:

Design (what you intended)

• Physical Access Control Policy/Procedure mapped to 03.10.07 (NIST SP 800-171 Rev. 3).
• CUI Physical Boundary statement and site/room list.
• Role-based access standards (who qualifies for access, approval chain).
• Visitor management procedure, including third-party access handling.

Operation (what actually happened)

• Current authorized access rosters for restricted areas (badge groups, key holders).
• Approval records for granting/removing access (tickets, forms, emails).
• Door access logs or key logs for a defined period.
• Visitor sign-in logs and escort attestations (where applicable).
• Periodic access review records and remediation actions.
• Physical security incident records (lost keys, forced entry, door alarm events) and closures.

Common exam/audit questions and hangups

Expect these questions, and pre-build the answers:

1. “Show me your CUI physical boundary.”
   Hangup: teams provide a network diagram, not physical scope.

2. “Who can access the server room today, and who approved it?”
   Hangup: Facilities manages badges but approvals are informal.

3. “How do you handle visitors and third-party technicians?”
   Hangup: visitor logs exist at reception, but they don’t tie to restricted areas.

4. “How do you review physical access rights over time?”
   Hangup: access lists aren’t reviewed; removals lag terminations.

5. “What happens when controls fail (lost badge, propped door)?”
   Hangup: incidents are handled ad hoc with no record trail.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Treating “building access” as equivalent to “CUI area access.”
  Fix: define restricted sub-areas (server room, lab, locked cabinets) and control them separately.

• Mistake: Keys and combinations are unmanaged.
  Fix: maintain a key holder list; rotate combinations after staff changes; log issuance and returns.

• Mistake: Visitor process doesn’t cover delivery, cleaning, or after-hours access.
  Fix: explicitly define how non-employee access works during off-hours and who escorts.

• Mistake: No link between approvals and logs.
  Fix: require an access request/ticket ID for each badge group change and keep exports of access control logs.

• Mistake: Evidence is “somewhere” but not reproducible.
  Fix: standardize evidence packs per site and schedule recurring collection.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite enforcement actions.

Operational risk still tracks cleanly:

• Weak physical access control raises the likelihood of device theft, unauthorized console access, tampering, and exposure of paper/removable media that contain CUI.
• Assessment risk is often higher than teams expect: many physical controls are real, but undocumented. NIST SP 800-171 assessments focus on whether you can demonstrate implementation and ongoing operation (NIST SP 800-171 Rev. 3).

Practical execution plan (30/60/90)

First 30 days (stabilize scope and ownership)

• Name control owners across Facilities, IT, and Security.
• Draft the CUI Physical Boundary statement and site/room list.
• Identify restricted areas and confirm existing controls (locks, badge readers, cabinets).
• Stand up a single intake for access requests and visitor exceptions (ticketing or controlled form).

Days 31–60 (standardize controls and evidence)

• Publish Physical Access Control Procedure mapped to 03.10.07 (NIST SP 800-171 Rev. 3).
• Implement role-based authorization rules and approval workflow for each restricted area.
• Turn on/export access logs where available; create a retention and review process.
• Roll out a visitor + third-party access workflow that covers escorted access to restricted areas.

Days 61–90 (prove operating effectiveness)

• Run the first periodic access review and document remediation (removals, role corrections).
• Test exceptions: temporary access, after-hours entry, third-party technician visit. Capture artifacts end-to-end.
• Build an “assessment packet” per site: scope, procedures, rosters, approvals, log samples, reviews.
• Move recurring evidence collection into Daydream so you can show consistent operation over time without scrambling.

Frequently Asked Questions

Does 03.10.07 require electronic badge systems?

No specific technology is mandated by the excerpt provided. You can meet the requirement with mechanical controls, but you must control access and retain evidence that access is restricted and managed (NIST SP 800-171 Rev. 3).

Our CUI is only on laptops. Do we still need restricted rooms?

You still need physical access control for areas where those laptops are used and stored. If you can’t restrict the full office, narrow the CUI boundary to a lockable room, lockable storage, and a procedure that prevents unattended exposure.

How do we handle shared office buildings where we don’t control the lobby?

Treat the building as a partial control and enforce stronger controls inside your suite and on restricted sub-areas. Document what the landlord provides and what you provide, and keep your own evidence for your boundary.

What evidence is “good enough” for visitor control?

Maintain a visitor log that shows identity, date/time, host, purpose, and whether escort was required for restricted areas. If reception manages logs, copy them into your compliance evidence set on a schedule you can sustain.

Can we rely on our colocation provider’s security for physical access control?

You can rely on provider controls for their facility layer, but you still need your own authorization list, approval trail, and records of who accessed your cage or equipment. Capture provider attestations and pair them with your internal access governance.

How do we operationalize this without overwhelming Facilities?

Keep the boundary small, use role-based groups, and standardize approvals. In practice, a simple access request workflow plus recurring access reviews prevents most churn and produces audit-ready evidence.