How To Implement NIST 800-171 Physical Security Controls

NIST 800-171/CMMC


“Physical Protection” security requirements are one of fourteen NIST 800-171 information protection families (PDF - Chapter three) that define how your physical buildings and rooms containing Controlled Unclassified Information (CUI) will be secured.

What Does Physical Security or Protection Mean?

“Physical security” and “security controls” are constantly evolving terms because of the accelerated advancements in technology organizations are going through.

» LEARN MORE: Here's All You Need To Know About NIST 800-171 Compliance Requirements (+ Next Steps)

Companies are now often confronted with taking the appropriate steps to secure the facilities housing increasingly smaller, lighter, and easily transferable devices.


Because of these threats of stolen or damaged data, physical security (and security controls in general) are a key component of NIST SP 800-171 compliance.


“Physical Protection,” outlined in section 3.10 of the NIST SP 800-171 publication (see embedded PDF below), details the physical security requirements that your company needs to implement in order to protect your business and achieve compliance.

The security controls defined in section 3.10 include activities such as limiting physical access to your company’s information technology infrastructure (file servers, workstations, etc.) to authorized individuals only.


Also included in Section 3.10 is a subsection that is referred to as Derived Security Requirements. It includes security control activities such as escorting and monitoring visitors, maintaining activity logs of physical access, and controlling physical access to certain devices. I'm going to provide you with some real-world examples below.


Companies often find themselves at a liability because physical security is so easily overlooked, especially with information security protocols. For example, there's an erroneous belief that a strong password is all that is needed.

Yet physical security entails so much more than that...

NIST 800-171 Physical Security: Does Your Company Have To Comply?

The question of whether the installation of physical security controls is required for your company is answered within the abstract of the NIST SP 800-171 R2 document:

“The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.”

If your company is involved in the handling of Controlled Unclassified Information (CUI) in any manner, then the installation of Physical Security Controls is an imperative step.  

Training Employees on Physical Security Requirements  

The first consideration for a company implementing physical security controls is the proper training of employees. Untrained employees are often the main reason why your company can be at risk of physical vulnerabilities. Training employees on these physical security controls is the most important step that your company can take.

4 Examples of NIST 800-171 Physical Security Implementations

Some of the most frequent occurrences your company is likely to experience with respect to violations of physical security controls under NIST 800-171 are:

  1. Intruders, of which examples would be delivery personnel, vendors, or visitors who can find their way into your premises. A safeguard against these activities is using identification badges on all personnel and request filling a form for outsiders. Employees must be aware of who enters the premises with them. Unidentified personnel seen in buildings or on premises should be reported to management immediately. Proper safeguards should also be in place for intruders who may go undetected. These include the protection of sensitive online information that may be accessible on workstations or computer terminals. Locking workstations and protecting file servers in a secure room are important steps to take.
  2. Another example of a safeguard includes a clean desk protocol that you can institute at your company. This is simply a matter of keeping sensitive data locked securely in file cabinets and drawers when they are not in use by your employees.  
  3. An effective physical security control is the installation of a video surveillance system that allows 24-hour monitoring and recording of all the entrances and exits of your company’s facilities. In the case of a security breach, recorded video information can be retrieved from these security cameras to identify intruders.
  4. The implementation of wireless networks is now very common so another example is to control the flow of CUI by using authorization and encryption technologies effectively to prevent hacking attempts.

These are just some examples of a wide variety of implementations based on what your company does, how you get those tasks done, and what risks you face because of that. These scenarios constantly change under a growing technological environment.

Get Secured Against NIST 800-171 Physical Security Requirements

The information and examples provided illustrate the importance of physical controls and should help you understand what steps can be taken to comply with NIST SP 800-171 requirements. These physical security controls can be challenging to understand and implement, and they take precious time away from your daily operations.

Encompass Consultants is working to fix this problem with a clear focus on rapid compliance services for businesses who don't have the time or resources to worry about each individual control family. With a complete enclave and enterprise based system for implementing small-medium sized businesses NIST 800-171 system from the ground up, you can rely on our expertise to achieve compliance.

Learn More From an  Expert

Get In Touch

Related Articles