CMMC Practice PE.L1-3.10.1

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

Bold Coast Security Guidance

Evaluate the placement of all your computers, servers, and network equipment. It should be in secured, or securable areas. You will need to identify users or roles which can access these areas in your policies or procedures. The organization should restrict access to the non-public areas of the building. Furthermore, not all employees need access to servers and network equipment, and there may be a subset of workstations only a few employees should access. Your organization may need to budget time or money to move equipment to secured server rooms, or purchase enclosures and lockable racks for your servers and network equipment, such as your firewalls and routers. It is not unusual to find network switches in open areas of larger manufacturing facilities. These switches must be secured from unauthorized access by placing them in locked closets or inside a small, lockable rack. Network servers should always be placed in a secured area, ideally with electronic locks which will automatically record entry to areas and can enforce time of day restrictions. Also consider placing cameras in locations to record physical entry to secured areas. If no separate data center or server room exists in your facility, a lockable rack which monitored by video would be appropriate.

Discussion From Source

DRAFT NIST SP 800-171 R2 This requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors. Authorized individuals have credentials that include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, directives, policies, regulations, standards, procedures, and guidelines. This requirement applies only to areas within facilities that have not been designated as publicly accessible. Limiting physical access to equipment may include placing equipment in locked rooms or other secured areas and allowing access to authorized individuals only; and placing equipment in locations that can be monitored by organizational personnel. Computing devices, external disk drives, networking devices, monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of equipment.