Mapped to NIST 800-171 Requirement: 3.10.10
CMMC Assessment Objective: PE.L2-3.10.10
What This Control Means
You must implement security measures and monitoring systems to protect your:
• Buildings
• Secure rooms
• Data closets or IT racks
• HVAC units and power distribution supporting CUI systems
This is about facility-level protection, not just access control to individual systems. Think perimeter defense, internal barriers, and infrastructure safeguards.
Why It Matters
If your facility or supporting infrastructure is compromised:
• CUI systems may go offline or be physically accessed
• Attackers may bypass digital security by tampering with physical systems
• Power outages or overheating could destroy sensitive data
• You lose physical accountability, which could invalidate your system integrity
This control ensures your CUI systems are safe at the physical infrastructure level.
How to Implement It
1. Harden Your Facility
• Lock server rooms and IDF/MDF closets
• Use secured enclosures for network gear and storage devices
• Limit access to HVAC, power, and telecom lines supporting CUI systems
2. Monitor Entry Points and Sensitive Areas
• Install:
◦ Cameras at entrances and inside CUI zones
◦ Motion detectors or alarms for unauthorized entry
◦ Logging or alerting tied to facility access
3. Maintain Environmental Monitoring
• Use temperature, humidity, smoke, or water leak sensors in server rooms
• Ensure uninterruptible power supply (UPS) systems protect infrastructure
4. Log and Respond to Incidents
• Monitor alerts from surveillance or environmental sensors
• Respond promptly to unauthorized entry or abnormal conditions
5. Document in Your Security Plan
• Detail facility protection mechanisms in your SSP
• Reference security zones, monitoring systems, and critical infrastructure coverage
Evidence the Assessor Will Look For
• Documentation showing facility protections are in place (e.g., locked rooms, cameras)
• Diagrams showing security zones and physical barriers
• Environmental monitoring logs (e.g., temperature alerts, UPS activity)
• Maintenance records or security incident response logs
• Physical walkthrough or video evidence confirming systems are protected and monitored
Common Gaps
• CUI servers placed in open office areas or unsecured closets
• No video surveillance or alerting systems
• No logs for physical security events or environmental issues
• Facility and infrastructure not documented in security planning
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Mapping your facility zones and associating them with CUI systems
• Logging and documenting all physical infrastructure protections
• Supporting environmental sensor integrations and alert reporting
• Helping document your facility’s physical protections in your SSP
• Tracking and auditing monitoring events tied to physical incidents or alerts
With Cuick Trac, your facility and its systems are protected from the outside in.
Final CTA
If your systems are secure, your facility should be too.
Schedule a Cuick Trac demo to secure, monitor, and document the physical infrastructure that supports your CUI environment.