Only authorized people can physically reach systems and CUI.
What it actually means
Physical security counts. Servers, network gear, and the spaces where CUI is worked must be physically restricted to authorized people — locked rooms/cabinets, badge access, controlled entry. Remote/home workers need a comparable story for their work area.
Pass or fail — an assessor needs a "yes" to each
- Physical access to systems/equipment is restricted to authorized people.
- Server/network areas are locked or access-controlled.
- Remote-work physical security is addressed.
What to have ready
- Physical access policy
- Badge/lock/access-control records
- Home-office security guidance for remote staff
Where teams trip up
- Server gear in an unlocked common area
- No control over who enters CUI work areas
- Ignoring remote-worker physical security
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →