CMMCDocs.comSmall defense contractors often operate from commercial office spaces, sometimes shared or co-working environments. The Physical Protection (PE) family in NIST SP 800-171 Rev 2 includes six requirements that address physical access to systems processing CUI. These controls do not require a SCIF (Sensitive Compartmented Information Facility), but they do require more than an unlocked office door.
PE.L2-3.10.1 — Limit Physical Access
You must limit physical access to organizational systems, equipment, and operating environments to authorized individuals. For most small contractors, this means the office space where CUI is processed must have controlled entry — a locked door with access limited to employees and authorized visitors. Key card systems, cipher locks, or even a traditional lock-and-key arrangement can satisfy this requirement if access is managed and auditable.
If you work in a shared office space, the area where CUI systems are located must be separated from common areas. A lockable private office within a co-working space can work. An open desk in a shared area cannot.
PE.L2-3.10.2 — Protect and Monitor the Physical Facility
Protect and monitor the physical facility and support infrastructure. This includes measures like security cameras at entry points, intrusion detection systems (motion sensors, door contact alarms), and after-hours monitoring. The level of monitoring should be proportional to the risk — a dedicated office needs at minimum an alarm system and camera coverage at entry points.
PE.L2-3.10.3 — Escort Visitors
Escort visitors and monitor visitor activity. Any person who is not an authorized employee must be escorted while in areas where CUI systems are present. Maintain a visitor log that records the visitor's name, organization, purpose, date and time in/out, and the name of the escort. This is a procedural control that costs nothing to implement but requires consistent discipline.
PE.L2-3.10.4 — Maintain Audit Logs of Physical Access
Maintain audit logs of physical access. If you use a key card system, the system's access log satisfies this requirement. If you use traditional keys, you need a sign-in/sign-out log at the entry point. The log must capture who accessed the facility and when. Retain these records per your retention policy — at least one year is recommended.
PE.L2-3.10.5 — Control and Manage Physical Access Devices
Control physical access devices such as keys, key cards, and combination codes. Maintain an inventory of who has which physical access devices. When an employee leaves, recover their keys or key cards and update access codes. Review the inventory periodically to ensure only current authorized personnel have physical access.
PE.L2-3.10.6 — Alternative Work Sites
Enforce safeguarding measures for CUI at alternative work sites. If employees work from home and access CUI remotely, the home workspace must provide comparable physical protection. This means a dedicated work area (not a coffee shop), a locked room or cabinet for any physical CUI, and screen positioning that prevents unauthorized viewing. Document your remote work policy and include physical security requirements.
Practical Tips for Small Offices
You do not need enterprise-grade physical security. A commercial alarm system with monitoring costs $30-100 per month. A basic key card system for one or two doors costs $500-2,000 installed. Security cameras with cloud recording cost $100-500 per camera plus $10-30 per month for storage. A printed visitor log costs nothing. These are manageable investments for any business.