GRCWatch
Sign inStart free trial

PE.L2-3.10.2: Monitor Facility — CMMC Level 2 Control

Protecting your organization's physical facility and support infrastructure is a critical requirement under CMMC Level 2. PE.L2-3.10.2 demands that you establish monitoring systems to detect and respond to unauthorized physical access and environmental threats. This control bridges the gap between cybersecurity and physical security, ensuring your information systems remain protected at every layer.

What this means

This control requires you to implement comprehensive monitoring of your physical facility where information systems are located. This includes surveillance systems, access logs, environmental monitoring (temperature, humidity, power), and regular facility inspections. The goal is to detect, document, and respond to any unauthorized access attempts, environmental anomalies, or infrastructure failures that could compromise your information systems or stored data.

How to comply

  1. 1.Deploy video surveillance covering all areas where information systems and sensitive data are stored, including server rooms, network closets, and storage areas
  2. 2.Implement electronic access control systems that log all entry and exit attempts with timestamps and user identification
  3. 3.Monitor environmental conditions including temperature, humidity, power supply, and cooling systems in critical infrastructure areas
  4. 4.Conduct regular physical facility inspections and document findings, including checks for physical damage or signs of tampering
  5. 5.Establish and enforce a visitor management process that tracks all non-employees entering sensitive areas
  6. 6.Maintain audit logs of facility monitoring systems and review them regularly for anomalies or security incidents
  7. 7.Define clear procedures for responding to detected unauthorized access or environmental threats
  8. 8.Ensure facility monitoring systems are themselves protected and secured against tampering or unauthorized access

Evidence auditors look for

  • Video surveillance system logs showing continuous coverage and retention for 30+ days
  • Access control system reports documenting all badge swipes, failed access attempts, and after-hours entries
  • Environmental monitoring dashboards and alerts for temperature, humidity, and power anomalies
  • Facility inspection checklists completed monthly or quarterly with documented findings and corrective actions
  • Visitor sign-in logs with escort records and facility access badges issued
  • Incident response records showing actions taken when unauthorized access or environmental issues were detected
  • Physical security policy documentation defining monitoring requirements and response procedures
  • Network diagrams showing camera placement and coverage areas in sensitive facilities

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates facility monitoring documentation and evidence collection, reducing the manual work of maintaining surveillance logs, access reports, and compliance records while ensuring continuous auditable proof of your PE.L2-3.10.2 compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PE.L2-3.10.1 — Facility AccessPE.L2-3.10.3 — Facility ExteriorPE.L2-3.10.4 — Physical Entry PointsPE.L2-3.10.5 — Facility Support InfrastructurePE.L2-3.10.6 — Cabling