AC.L2-3.10.2[a] — Physical Protection (Physical Access Monitoring)Domain: Physical Protection (PE) | Practice: PE.L2-3.10.2 | Objective ID: 3.10.2[a] | Source: NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2 | Assessment Objective: The physical facility is monitored to detect and respond to physical security incidents. |
Executive Summary (For Leadership and the Board)
CMMC objective AC.L2-3.10.2[a] sits inside the Physical Protection domain (PE.L2-3.10.2 — Physical Access Monitoring) and reads: The physical facility is monitored to detect and respond to physical security incidents.. Deploy physical monitoring capabilities (cameras, intrusion detection sensors, guard patrols, alarm systems) to detect unauthorized access or security incidents at facilities housing CUI. For organizations that handle Controlled Unclassified Information (CUI), this objective is part of the foundation that every downstream control depends on.
Under DFARS 252.204-7012, AC.L2-3.10.2[a] will be evaluated during a full third-party CMMC Level 2 assessment, Joint Surveillance Voluntary Assessment, or formal certification gating DoD CUI contract awards. Leadership and the board should be asking: Who owns this objective? When was it last reviewed? Where is the evidence stored? And what is our remediation plan if a C3PAO flags a gap? Failing this objective in isolation may be POA&M-able under CMMC 2.0; failing it in conjunction with related objectives in the same practice is typically not.
Business Question | What Leadership Must Confirm |
|---|---|
Do we have a documented, owned, and current implementation for the requirement that the physical facility is monitored to detect and respond to physical security incidents? | A named control owner exists, the implementation is documented in the SSP, and a defined review cadence is in force. |
Can we produce evidence that this objective is operating effectively across every CUI-bearing system in scope? | Artifacts (logs, tickets, config exports, attestations) are collected on a defined cadence and tied back to AC.L2-3.10.2[a]. |
What happens if this control fails or drifts out of compliance? | A documented detection, escalation, and remediation path exists, with the vCSO as the executive backstop. |
Can we prove this objective to a C3PAO? | The evidence package — policy, configuration, monitoring output, and recertification records — is pre-built and mapped directly to AC.L2-3.10.2[a]. |
Executive Risk Lens: Failures against this objective routinely surface in Verizon DBIR and Mandiant M-Trends data as contributors to CUI exfiltration, ITAR-relevant data exposure, and engineering CUI loss to nation-state adversaries. A single weak point in Physical Access Monitoring can undermine every other access-control and integrity control in the CUI boundary.