3.10.2 — Watch the Building

The One-Liner

If someone breaks in at 2 AM and nobody notices, your monitoring has failed.

What It Says

Protect and monitor the physical facility and support infrastructure for organizational systems.

What It Actually Means

Four things assessed: the facility is protected (locks, barriers), the support infrastructure is protected (power, cabling, HVAC), the facility is monitored (cameras, alarms), and infrastructure is monitored (environmental alerts). For most DIB contractors: CCTV on entry points and server rooms, alarm system, UPS/generator for servers, temperature monitoring in the server room, and fire suppression.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is the physical facility protected?	Locks, doors, barriers adequate for CUI areas
2	Is support infrastructure protected?	Power (UPS), cabling secured, HVAC for server room
3	Is the facility monitored?	CCTV on entries and server room; alarm system; footage retained
4	Is infrastructure monitored?	Temperature, humidity, power alerts for server room

---

What to Have Ready on Assessment Day

Documents they’ll review: Physical and environmental protection policy; monitoring procedures; CCTV configuration and retention settings; alarm system documentation; environmental monitoring records; system security plan

People they’ll talk to: Personnel with physical access responsibilities; information security personnel

Live demos they’ll ask for: “Show me your security cameras — what do they cover?” “How long is footage retained?” “Show me environmental monitoring in the server room.” “What happens if the alarm triggers after hours?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me your security cameras — do they cover server room entries?”
• “How long is camera footage retained?”
• “Do you have environmental monitoring in the server room?”
• “What happens if the alarm triggers after hours?”

Real-World Example

A defense contractor has CCTV on the building entrance, the server room door, and the CUI work area entrance — footage retained 30 days on a dedicated NVR. An alarm system covers all entry points with after-hours monitoring by a security company. The server room has a UPS (30-minute runtime), temperature sensor (alerts if >80°F), and a clean-agent fire suppression system. The assessor reviews camera placement, alarm configuration, and the temperature alert log.

---

Where Companies Trip Up

No cameras or alarms. Entry points unmonitored. Install CCTV on all entries to CUI areas and server rooms.

Cameras nobody watches. Recording exists but nobody reviews footage or responds to motion alerts. Configure after-hours motion alerts.

No environmental protection. Server room without UPS, temperature monitoring, or fire suppression. These are all assessable.

---

How to Talk About This

To a CEO or Board

Our facilities are monitored with CCTV and alarms. Server rooms have environmental controls — UPS, temperature monitoring, and fire suppression.

To an Engineering Team

CCTV on entries and server room (30-day retention). Alarm system with after-hours monitoring. Server room: UPS (30 min), temperature alerts, clean-agent fire suppression. Environmental alerts to on-call admin.

---

Connected Requirements

Requirement	Why it matters here
3.10.1 — Lock the Doors	Physical access controls that monitoring supports
3.10.4 — Log Physical Access	Camera footage supplements badge access logs

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: PE.L2-3.10.2 | SPRS Weight: 5 points | POA&M Eligible: No