NIST Special Publication 800-171 Revision 2

3.10.1: Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

This requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors. Authorized individuals have credentials that include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, directives, policies, regulations, standards, procedures, and guidelines. This requirement applies only to areas within facilities that have not been designated as publicly accessible.

3.10.2: Protect and monitor the physical facility and support infrastructure for organizational systems.

Monitoring of physical access includes publicly accessible areas within organizational facilities. This can be accomplished, for example, by the employment of guards; the use of sensor devices; or the use of video surveillance equipment such as cameras…

3.10.3: Escort visitors and monitor visitor activity.

Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity.

3.10.4: Maintain audit logs of physical access

Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof…

3.10.5: Control and manage physical access devices.

Physical access devices include keys, locks, combinations, and card readers.

3.10.6: Enforce safeguarding measures for CUI at alternate work sites.

Alternate work sites may include government facilities or the private residences of employees. Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites…