← Custodia
Practice 8 of 15·FAR 52.204-21(b)(1)(viii)·PEPhysical Protection

PE.L1-b.1.viii

Limit physical access to systems

Lock the door. Physical access to your laptops, servers, shop PC, trailer PC, file cabinets, and any other thing that holds FCI must be limited to authorized people. The bar is "reasonable for a small business," not "DoD facility."

Official text

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

FAR 52.204-21(b)(1)(viii), CMMC Level 1 v2.13 Assessment Guide

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

  • Locked office door / suite door with limited keyholders.
  • Keycard or PIN log for the office or trailer.
  • Locked file cabinet for paper FCI.
  • Server / network closet locked, with a posted list of who can access.
  • Cable locks on trailer / front-desk PCs that can't be locked away.

Common ways small shops fail this

  • Office door propped open all day during business hours, no front-desk control.
  • Trailer with the windows open, laptop logged in and visible from the parking lot.
  • File cabinet holding pay applications and POs left unlocked.
  • Shared shop PC in the open with a sticky-note password on the monitor.
  • Server in a closet anybody can walk into.

How to fix it in a weekend

  1. 1Walk the building once. Anywhere FCI lives, ask "can a non-employee touch this without me knowing?" Fix every yes.
  2. 2Lock the file cabinet that holds POs / pay apps / drawings. Track who has the key.
  3. 3Move the shop / trailer PC away from public sightlines or add a privacy screen.
  4. 4Put a cable lock on any PC that has to live in a public area.
  5. 5Put the network gear (router, switch, server) in a locked closet — even a $20 padlock counts.

FAQ

Do I need badge readers and cameras at Level 1?+

No. Level 1 calls for limiting physical access; it does not specify badge readers or cameras. A locked office door with a controlled keyholder list satisfies the practice. Cameras and badge systems show up at Level 2 / NIST 800-171's stronger physical-protection controls.

Related references

Clause

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

Glossary

Federal Contract Information

Doing all 15 yourself? Use the checklist.

Custodia's free CMMC Level 1 checklist walks the same 15 requirements with a self-assessment workflow, generates your SSP and affirmation memo, and posts your SPRS score for you.

Open the checklist →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)