November 2025 changed everything for managed IT providers working with defense contractors.
That’s when the Department of Defense officially began CMMC enforcement through defense contracts. After years of discussion, the Cybersecurity Maturity Model Certification transformed from a theoretical framework into a real condition of eligibility for defense work.
I started reading the requirements the government was now imposing. What I found surprised me.
The Physical Security Blindspot
Most managed IT providers built their practices around firewalls, encryption, and network security. That’s what we do. That’s what clients expect from us.
But CMMC Level 1 explicitly requires something different: limiting physical access to equipment by placing it in locked rooms or secured areas. This includes computing devices, external disk drives, networking devices, monitors, printers, copiers, scanners, and facsimile machines.
Physical access control isn’t a nice-to-have anymore. It’s a compliance requirement.
The requirement gets more specific at Level 2. Organizations need monitoring through video surveillance, sensors, alarms, or human guards. They need to protect support infrastructure like data transmission wires and power lines inside facilities. This means locked wiring cabinets, physical protection around cables or conduits, even wiretapping sensors in some cases.
I realized we had a problem. Traditional IT security measures alone don’t satisfy federal standards anymore.
Network Rooms Are the Weakest Link
Think about your typical defense contractor’s office.
They’ve invested in endpoint protection, multifactor authentication, encrypted communications, and regular security audits. Their digital security looks solid on paper.
Then you walk to the network closet. It’s unlocked. Anyone with access to the building can walk in. The server room has a standard office door with a basic lock. Visitor badges exist, but nobody really monitors who goes where.
Physical security is just as important as cybersecurity when protecting sensitive data. A breach in physical security leads to unauthorized data exposure, theft, or sabotage.
CMMC Control 3.10.2 requires organizations to monitor who enters and exits facilities, especially areas with systems containing Controlled Unclassified Information. It also requires physically protecting support infrastructure from tampering. Companies need to lock their wiring closets to protect network cables.
This is where the convergence between digital and physical security becomes unavoidable. You can have the best firewall in the world, but if someone can physically access your network equipment, your digital protections mean nothing.
The Service Expansion Nobody Saw Coming
Here’s what’s happening in the market right now.
Nearly 340,000 entities will be impacted by CMMC by 2028. 68% of those will be small entities. That’s a massive market.
Defense contractors are asking their managed IT providers: “Can you help us with physical access control for our server rooms?”
Most providers say no. Physical security isn’t their expertise. They refer clients to security system installers.
But those installers don’t understand IT infrastructure. They don’t know which rooms need monitoring, what level of access control makes sense, or how to integrate physical security logs with digital security monitoring.
The gap between physical and digital security creates compliance vulnerabilities.
Managed IT providers who integrate physical access control into their portfolios will win defense contractor clients. Those who don’t will lose them to competitors who offer comprehensive solutions.
The service expansion imperative is real. Physical Protection controls are now a mandatory competency for providers serving defense contractors.
What Compliance Failures Actually Look Like
I’ve seen what happens when organizations treat physical and digital security as separate domains.
One defense contractor hired an RPO integrator and paid upwards of $80,000 for CMMC Level 2 compliance migration. When auditors showed up, they found zero security policies applied to laptops, event logging wasn’t turned on, and accounts and users still had out-of-control permissions.
The contractor failed the assessment. They lost contract eligibility.
Another example: A company had excellent digital security but allowed visitors to walk around the facility freely. CMMC Control 3.10.3 requires visitors to be guided by an employee at all times or wear a visitor’s badge. Visitor activity must be monitored through cameras, guards, or audit logs.
They didn’t have any of that in place. Assessment failure.
The Department of Justice’s Civil Cyber-Fraud Initiative established that cybersecurity claims are actionable under the False Claims Act. Contractors must act cautiously when completing self-assessments under Level 1 and 2 of CMMC. Any knowing misrepresentations may result in FCA liability.
This isn’t about checking boxes. This is about real legal and financial exposure.
The Technology Integration Challenge
Integrating physical access control with IT infrastructure isn’t straightforward.
Legacy access control systems often run on separate networks. They use proprietary protocols. They don’t generate logs in formats compatible with security information and event management systems.
Some managed IT providers use remote monitoring and management tools that let them download files from customer computers. Those features need to be disabled under CMMC or they could bring the entire provider into the scope of CMMC regulations.
Bridging legacy systems with modern IT infrastructure creates new security vulnerabilities if done wrong.
You need to think through network segmentation, access control integration, log aggregation, and incident response procedures. Physical security events need to trigger the same response protocols as digital security events.
This requires expertise in both domains. Most providers have one or the other, not both.
The Market Opportunity for Early Adopters
CMMC enforcement is ramping up. There’s a limited number of certified assessors. A backlog is inevitable.
Companies that achieve compliance early will have a massive competitive advantage. They’ll be able to bid on contracts while their competitors are still working through assessments.
For managed IT providers, this represents a significant opportunity. Defense contractors need comprehensive security solutions that encompass both digital and physical safeguards. Providers who can deliver that become strategic partners, not just vendors.
The financial advantages are clear. Physical access control installations generate project revenue. Ongoing monitoring and management create recurring revenue streams. Integration with existing IT security services increases client retention.
Early adopters who position themselves as full-spectrum security providers will capture market share before competitors realize what’s happening.
The strategic advantages extend beyond revenue. Providers who develop this expertise can command premium pricing. They differentiate themselves in a crowded market. They become harder to replace.
Building Physical Security Capabilities
Managed IT providers need to take practical steps to build physical security capabilities while maintaining their core competencies.
Start by understanding CMMC physical security requirements in detail. Read the official documentation. Talk to certified assessors. Identify exactly what your defense contractor clients need to implement.
Partner with physical security providers who understand IT infrastructure. Look for companies that use IP-based access control systems, generate compatible log formats, and understand network security principles.
Develop standard operating procedures for physical security assessments. Create checklists for server rooms, network closets, and visitor management. Train your team to identify physical security gaps during regular IT assessments.
Invest in tools that integrate physical and digital security monitoring. Your security operations center should see alerts from both domains. Incident response procedures should cover both types of events.
Build the capability incrementally. Start with assessment services, then add implementation support, then ongoing monitoring.
Don’t try to become a full physical security contractor overnight. Focus on the specific physical security requirements that impact IT infrastructure and CMMC compliance.
What This Means for Your Practice
The convergence of physical and digital security under CMMC isn’t optional. It’s not a future trend. It’s happening right now.
Defense contractors need managed IT providers who understand both domains. They need providers who can assess physical security gaps, recommend appropriate solutions, and integrate physical security monitoring with digital security operations.
If you serve defense contractors, you need to develop this capability. If you don’t, your clients will find providers who can.
The November 2025 enforcement announcement made this clear. CMMC compliance requires comprehensive security solutions. Managed IT providers who adapt to this reality will thrive. Those who don’t will lose market share.
Start building your physical security capabilities now. Your clients need it. Your competitors are already moving. The market opportunity won’t wait.
