Part of a Collection
This article is part of the collection: The 14 CMMC Domains: A Comprehensive Guide
CMMC Domains
CMMC Deep Dive: Physical Protection (PE)
A guide to the Physical Protection (PE) domain, covering how to secure physical access to facilities and systems.
Published: June 25th, 2024By: CMMC Dashboard TeamLast updated: August 7th, 2025
Physical Protection
PE
Physical Security
Server Room
This article is part of our series on The 14 CMMC Domains.
The Physical Protection (PE) domain requires organizations to secure the physical locations that house their information systems and CUI. Cybersecurity isn't just about digital defenses.
Why It Matters
An attacker who can physically access a server or network closet can easily bypass most digital security controls. Physical security protects against theft, tampering, and unauthorized access.
Key Practices
- PE.L1-3.10.1: Limit physical access to systems and operating environments to authorized individuals.
- PE.L1-3.10.2: Escort visitors and monitor their activity.
- PE.L1-3.10.4: Maintain audit logs of physical access.
- PE.L2-3.10.6: Monitor physical access to detect and respond to incidents.
What Assessors Look For
- A physical access control policy.
- Visitor logs.
- Evidence of physical barriers (e.g., locks on server room doors).
- Logs from electronic access control systems (badge readers).
- Potentially, footage from surveillance systems.