Physical Protection (PE):The Security You Can See – and Why It Still Fails Most SMBs 

The Night the Building Key Went Missing

It was a Tuesday morning when the plant manager at a small machining shop realized something troubling:

The master key – the one that opened the front door, the engineering office, the server closet, everything – was gone.

Maybe it fell out of someone’s pocket. Maybe it was “borrowed.” No cameras. No badge logs. No visitor logs. No idea.

The shop continued operations, but the truth hung in the air: if someone had entered the building last night, no one would know.

Two weeks later, after a missing laptop turned up at a pawn shop, leadership realized the problem wasn’t IT. It wasn’t insider threat. It wasn’t a hacker.

It was the front door.

Physical protection failures are rarely dramatic. They’re quiet: a door propped open, a lost key, an unlocked closet, a “visitor” no one really checked. But in CMMC and in the real world, physical security is often the thin line between your controlled unclassified information (CUI) staying safe… or walking out the door.

What Meeting the Objectives Might Look Like

CMMC’s Physical Protection (PE) family focuses on one thing: control who gets into your facility and what they can physically access once inside. Here’s what auditors typically expect to see at Level 2:

• Controlled access to buildings and workspaces: Doors stay locked. Keys or badges are issued and tracked. You know who entered and when.
• Visitor management: A log (paper or digital), sign-in procedure, escort requirement, and visitor badges.
• Protected areas for CUI systems: Server rooms, networking closets, and CUI workstations have limited access.
• Environmental and emergency protections: Fire suppression, surge protection, HVAC for server rooms, and plans for emergencies.
• Monitoring and response: Cameras (if system is already in place), alarms, or documented rounds/checks by staff.
• Asset protection: Laptops locked up, removable media secured, and CUI files kept in locked cabinets when not in use.
• Shipping and receiving controls: Packages handled in a controlled manner so no unauthorized person “wanders around” back rooms.

In short: None of this requires a Pentagon-grade bunker. But it does require consistency, documentation, and a level of physical discipline many SMBs simply haven’t formalized.

Why It Matters: Because strong defense starts long before an attack begins

Physical security can feel old-school in a world obsessed with AI threats and ransomware, but for defense contractors, it’s still a high-stakes business requirement. Here’s why:

• A physical breach is a data breach. If someone steals a laptop with CUI or takes photos of prints on a desk, it counts — and it’s often unrecoverable.
• Contract eligibility depends on it. Nearly every DoD contract with CUI exposure requires compliance with NIST 800-171 / CMMC L2. If you fail the PE controls, you fail the assessment.
• Insurance and liability implications are real. A break-in where “the server room door was unlocked” is a claim-denier special.
• Defense customers lose trust fast. Prime contractors will not keep a supplier who can’t keep its facility secure.
• Physical protection is cheap risk reduction. Badges, locks, logs, and procedures cost little — but they stop 80% of preventable incidents. 

In short: Physical Protection is where cybersecurity and old-fashioned operations discipline meet. And when done right, it builds confidence with auditors, primes, customers, and employees.

Where Most Companies Slip Up

Here are some common pitfalls SMBs face when it comes to Physical Protection – and often stumble in their CMMC assessments. 

• “We’ve always left that door unlocked.” Legacy habits are the biggest enemy of compliance.
• Uncontrolled keys. No documentation of who has them. No process when someone leaves the company.
• No visitor logs (or logs filled out inconsistently). Auditors spot this instantly.
• Server closets that double as storage rooms. If six people have access, it’s not a restricted area.
• No escort policy. Contractors, cleaners, HVAC techs, and vendors walk freely.
• Doors propped open during deliveries. A single unmonitored loading dock can undo everything else.
• No awareness of tailgating. A friendly “hold the door” moment bypasses the entire access control system.
• Lost devices and removable media. “It’s somewhere in the shop” is not a security control.
• Under-scoped identity controls. Only privileging user accounts, but forgetting service accounts, processes acting on behalf of users, machine accounts, or automated clients. 

Most failures aren’t about sophisticated attackers – they’re about day-to-day discipline.

How to Start Strong (and Grow Stronger)

Here’s a two-tiered approach: a “Starting Point” for compliance, and then the NEX Level enhancements to build real resilience and business advantage. 

A Starting Point: The Minimum to Meet Compliance

These are practical actions you can implement relatively quickly to satisfy the assessment objectives for PE and lay the foundation for good identity hygiene… 

1. Implement a formal, enforced access control policy for buildings and rooms with CUI.
2. Issue keys or badges, track them, and maintain an access list.
3. Keep exterior doors locked during operations.
4. Maintain a visitor sign-in log, visitor badges, and escort rules.
5. Lock server rooms, network closets, and areas with physical CUI.
6. Secure laptops and mobile devices when not in use.
7. Train personnel on daily expectations (no tailgating, lock doors, challenge unknown people).
8. Maintain basic environmental protections (fire suppression, surge protection, temperature control).
9. Document everything. (This alone is half the battle.)

By ticking off these nine steps, you can demonstrate to an assessor (or yourself) that your PE controls are actively managed and aligned with CMMC requirements. 

The NEX Level: Turning Compliance into Competitive Advantage

Once you’ve covered the basics, here are advanced practices you can turn into competitive advantage… not just compliance. 

• Shift from keys to electronic access. Badge swipes = logs = audit gold.
• Add low-cost cameras. Not for surveillance theater – for incident reconstruction. 
• Geo-fenced Wi-Fi or Bluetooth presence monitoring. Helps validate who was in CUI areas and when.
• Dedicated secure storage for removable media and sensitive tooling. Reduces theft risk and insider threat.
• Environmental monitoring systems. Alerts if server room temperature spikes or power fails.
• Delivery management. Separate delivery entrances with controlled access keep vendors out of operational spaces.
• After-hours security rounds with digital check-ins. Strengthens monitoring without hiring guards.
• Continuous key/badge audits. Quarterly reconciliation prevents drift.

These enhancements raise your maturity level and creates a culture of physical security… and that culture shows in assessments, customer reviews, and operational uptime.

The Museum Artifact Lesson 

Walk through any museum and you’ll notice something: the everyday exhibits are open, but the priceless artifacts live behind layers of protection — locked rooms, glass cases, ID-restricted doors, cameras, and staff who watch closely.

Not because visitors are bad. Because valuable things become vulnerable when access is uncontrolled.

Your CUI works the same way. It doesn’t need a glass case, but it does need: defined access, controlled rooms, logged entry, monitoring, and a clear understanding of who is allowed near it.

Most SMBs don’t fail Physical Protection because they don’t care – they fail because they haven’t adopted the museum mindset: not everyone gets backstage, and not every door should be open just because it’s convenient.

Takeaway: If it’s valuable to your business, protect it like a museum protects its artifacts.

Helpful Resources

Here are some resources to help you dig deeper and operationalize the PE control family…

Framework & Standards

• DoD CMMC Resources – Official documentation from the DoD covering CMMC Model v2.0.
• NIST SP 800-171 Rev. 2 – Full text from NIST, the source standard that CMMC maps to.
• NIST SP 800-53 Rev 5 – broader control catalog that includes Physical and Environmental Protection (PE) controls (useful for NEX Level maturity)

Free Resources

• CISA Physical Security Resources – Guides, checklists, and facility security plans built for critical infrastructure. Ideal for SMBs without a dedicated security officer. Also includes templates and guidance useful for emergency-preparedness portion of physical protection.
• OSHA Evacuation Plans and Procedures – This toolkit helps satisfy environmental/emergency-planning expectations.

Paid Resources

• Brivo – cloud-based access control and unified security platform: doors, locks, badges/mobile credentials, video surveillance, and visitor management — all managed from a single cloud dashboard.
• CYYNC – A centralized system to plan and track evidence collection, conduct and document self-assessments, manage POA&M items through remediation, and maintain a continuous audit trail.
• Envoy Visitors– visitor management system (VMS) that lets you pre-register guests, screen them, assign time-limited access, print badges, and automatically log their arrivals and departures.
• APC NetBotz – physical & environmental monitoring system for server rooms, network closets, data centers, and any rooms holding critical IT assets. It monitors temperature, humidity, door access, motion, and other physical/environmental conditions — and issues alerts if thresholds are exceeded (e.g., a door opens when it shouldn’t, temperature spikes, water leak, etc.).

CyberNEX Resources

• CMMC Decoded: Physical Protection Reference Sheet – A concise one-page guide for defense contractors that outlines the PE control family, explains why it matters, highlights examples of evidence auditors might expect, provides quick-win actions to get started, and includes links to available resources.
• CyberNEX Blog Archive – Explore all 14 CMMC control families with in-depth explainers, practical recommendations, and actionable insights tailored to defense contractors.

Take the NEXt Step

If you’re an SMB in the Defense Industrial Base, Physical Protection is one of the fastest, clearest wins you can achieve toward CMMC Level 2. The real advantage comes when your business uses CMMC practices to strengthen operations, protect revenue, and earn the trust of your partners and the DoD. Whether you’re trying to pass an assessment or build a truly resilient cybersecurity program, CyberNEX helps you move from “checking the box” to owning your security posture.

Our team has guided dozens of SMBs through CMMC readiness, helping them translate complex requirements into simple, actionable steps. We know where most businesses struggle, and we know how to make progress visible – fast.

👉 Get clarity on your PE gaps and a clear plan forward. Book a Discovery Session with our experts today.

Book My Discovery Session

Not ready to chat yet?
→ Learn more about our CMMC Readiness Assessments
→ Subscribe to NEX Level Newsletter

FAQs

1. What does CMMC Physical Protection actually require? 
CMMC requires you to limit and monitor physical access to any area where CUI could be stored, processed, or viewed. That includes buildings, rooms, cabinets, servers, laptops, and even portable media. You must maintain clear access control procedures (keys, badges, escorts), protect equipment from unauthorized use, and document how you prevent, detect, and respond to unauthorized entry. In short: know who can get in, when they can get in, and how you ensure no one else can.

2. Do I need cameras for CMMC?
No. Cameras are not a formal requirement in CMMC Level 2. However, if cameras already exist in your facility, auditors will expect you to treat them as a security control – meaning you review footage as needed, retain it according to policy, and ensure they are positioned and used purposefully. Not required, but if they’re there, you must manage them like any other security system.

3. Do we need a badge system, or are keys enough?
Traditional keys are acceptable as long as you track issuance, returns, lost keys, rekeying events, and who has access to which spaces. This must be documented and consistently maintained. Electronic badge systems aren’t required, but they significantly simplify compliance by automatically logging access events, reducing administrative overhead, and giving clearer auditor evidence. Keys work, but badges make audits easier.

4. Can visitor logs be paper-based?
Yes. Paper visitor logs fully satisfy CMMC requirements as long as they are used reliably every single time. Logs must capture the visitor’s name, organization, reason for visit, who they met with, and time in/out. The biggest issue is consistency… auditors often find gaps, illegible handwriting, or missing fields. Paper is fine; disciplined use is what matters.

5. What about after-hours access?
You must demonstrate that physical access is controlled 24/7, not just during business hours. This means doors locked after hours, clear lists of who has authorized access, and a way to monitor or validate who enters the building at night or on weekends. If someone has after-hours entry – whether through a key, badge, or alarm code – you must document it and justify why they need that level of access.