Modern security and compliance: HIPAA, PCI, FTC, CMMC, NDAA

Modern security and compliance: what auditors actually check

A modern security system passes compliance audits when it produces five things: badge logs tied to people and timestamps, camera coverage at the ingress points each regime calls out, retention windows scoped to the strictest rule that touches the site (90 days for PCI, two years for CMMC visitor records, 24 months for DEA Schedule II), an NDAA Section 889-clean bill of materials for any federal-touching work, and the integration that lets one report answer the auditor's question. Hardware brand matters less than the documentation and the records the system produces.

How auditors actually evaluate physical security

Most regimes don't tell you what hardware to buy. They tell you what evidence the system has to produce: who entered which area, when, with what credential, with retention scoped to the rule. Auditors care whether the records match: the badge log, the visitor log, and the camera clip have to tell the same story. The cases that fail are the ones where they don't.

So hardware brand matters less than the documentation and the integration. A modern system that ties every door event to a person and a timestamp, with camera coverage on the same timeline, passes audits across multiple regimes at once. A patchwork of three vendors with no unified record fails the same audit even when the cameras are fine.

HIPAA: physical safeguards for protected health information

The HIPAA Security Rule (45 CFR 164 Subpart C) requires administrative, physical, and technical safeguards for electronic PHI. Physical safeguards under 164.310 call out facility access controls, workstation use, and device/media controls. Camera footage that captures identifiable patients can itself be PHI in some contexts.

In practice: access control with audit trails for door-by-door entry and exit logging, camera storage segmented from clinical networks, retention configured to facility policy (typically 30 to 90 days), and cloud video providers that sign Business Associate Agreements. Healthcare buyers should default to vendors with documented BAAs; the audit catches the gap before OCR does.

PCI-DSS Requirement 9: cameras at the cardholder environment

PCI-DSS v4.0 Requirement 9 governs physical access to cardholder data. Camera coverage is required at every CDE ingress and egress, footage retention is set at 90 days minimum at the recorder and on cloud archive, and access logs map badge holders to areas with anomaly review. Non-compliance fines run $5K to $100K per month from card brands, with merchant-bank surcharges on top.

Retail and hospitality installs are designed around this rule from day one. Tec-Tel monitoring agents provide retrieval support inside one business day for incident queries; the audit checks that the retrieval workflow actually works, not just that the system records.

CMMC 2.0: physical access for the defense industrial base

CMMC 2.0 Level 2 maps to the 110 controls in NIST SP 800-171. The physical controls (PE-1 through PE-6) require physical access authorization records, monitoring including ingress and egress logs, visitor records for the duration of the facility security plan, and protection of media storing CUI. Level 2 requires third-party C3PAO assessment for prime contractors.

The pattern in defense subcontractor audits: hardware is fine, documentation isn't. Badge logs exist but visitor records don't tie to escort identity. Camera coverage exists but the rooms where CUI lives aren't all covered. The audit catches the gap and writes the SSP language that makes the assessment work. Vendor selection is constrained to NDAA 889-compliant manufacturers; that's a hard floor.

FTC Safeguards: the rule auto dealers and finance keep missing

The 2023 update to 16 CFR Part 314 requires a written information security program with administrative, technical, and physical safeguards. Physical safeguards under 314.4(c) expressly include facility access controls and surveillance. The FTC has enforced with multi-million-dollar settlements when control documentation can't pass review, even without a breach.

Auto dealer and finance installs are designed to satisfy the rule: cameras cover finance offices and after-hours intrusion zones, access control logs are retained, and incident retrieval workflows are documented. The deliverable is a written control summary that drops into their WISP.

NDAA Section 889: the procurement gate that fails before the audit

Section 889 bars federal agencies, prime contractors, and grantees from procuring or using covered telecommunications and video surveillance equipment from Hikvision, Dahua, Hytera, Huawei, ZTE, and their subsidiaries (which includes Lorex). The rule looks back at the installed base. Federal-touching businesses that grew up on the cheaper Chinese OEM camera lines find this out during bid prep, when the bill of materials gets reviewed.

The cleaner path is to default to NDAA-compliant manufacturers from the start; the major Western camera, VMS, and access-control lines all qualify. The camera-level cost difference is small; the cost of rip-and-replace when the contract opportunity arrives is large. The free consultation produces an explicit 889-clean BOM for any federal-touching procurement.

Frequent buyer questions

Which compliance regime drives the strictest physical-security requirements?

Depends on the site. CMMC 2.0 Level 2 and HIPAA Security Rule both require formal physical-access authorization, monitoring, and visitor records, with retention scoped to the contractor's SSP or facility's policy. PCI-DSS Requirement 9 is the most prescriptive on cameras at the cardholder data environment with 90-day retention. NDAA Section 889 is the procurement disqualifier: any federal-touching install with Hikvision, Dahua, Hytera, Huawei, or ZTE in the bill of materials fails before the audit even starts. For most multi-vertical operators, the strictest regime that touches a site sets the floor for the whole property.

How long do we have to retain video and access-control logs?

Set retention to the strictest rule that touches the site. PCI-DSS Requirement 9 wants 90 days minimum on cardholder areas. CMMC 2.0 wants visitor records for the duration of the facility security plan, often two years. DEA Schedule II controlled substances require 24-month retention on access logs. HIPAA leaves retention to facility policy but most healthcare operators land at 30 to 90 days. Premises-liability defense practitioners recommend 90 days minimum for any high-traffic public-accommodation property. Build to the longest window any regime imposes; shorter retention can be policy-restricted, longer retention can't be retroactively created.

Free quick compliance-grade security audit.

Bring your regime list, open audit findings, and current vendor list. We produce a clear picture of gaps tied to each regime your sites touch (HIPAA, PCI, CMMC, FTC, NDAA), with phased remediation.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Talk to our team 855-577-0400