New federal guidance released this month significantly expands minimum physical security requirements for commercial facilities operating in regulated sectors — with compliance deadlines beginning Q3 2026. Security consultants and facility managers should begin gap assessments immediately.

Overview

The Department of Homeland Security, in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), has released an updated physical security framework that broadens its scope beyond critical infrastructure to include commercial facilities operating within regulated industries. The framework — formally titled the Commercial Facility Physical Security Standards Update (CFPSSU) 2026 — represents the most significant expansion of federal physical security requirements in nearly a decade.

The updated guidance addresses three primary domains: access control standards, CCTV retention and coverage requirements, and mandatory incident reporting protocols. Facilities that fail to demonstrate compliance by the established deadlines face potential civil penalties, loss of federal contracting eligibility, and in some cases, forced operational suspension pending remediation.

■ Official Statement — CISA Director

"Physical security can no longer be treated as a secondary concern for regulated commercial operators. This framework establishes a baseline that reflects the threat environment of 2026, not 2016."

What Has Changed

The 2026 update introduces substantive changes across all three compliance domains. Unlike previous iterations — which applied primarily to facilities with federal contracts exceeding $10 million — the new framework captures a substantially broader pool of organizations, including those with federal grant funding, public utility contracts, and facilities classified under updated NAICS codes for critical manufacturing and chemical sectors.

Access Control

The updated framework mandates multi-factor authentication at all primary entry points for facilities above a defined square footage threshold. Single-factor credential systems — including traditional RFID proximity cards without secondary verification — are no longer considered compliant for primary access points in affected facilities. The guidance explicitly permits mobile credentials and biometric solutions as acceptable secondary factors, provided they meet FIPS 201-3 standards.

  • All primary entry points require multi-factor credential verification
  • Legacy single-factor RFID systems must be upgraded or supplemented
  • Visitor management systems must integrate with access control platforms
  • Access logs must be retained for a minimum of 12 months
  • Emergency egress must not be compromised by access control measures

CCTV & Video Surveillance

Coverage requirements have been substantially expanded. The 2026 framework requires continuous video coverage of all primary and secondary entry and egress points, loading docks, server rooms, and utility access areas. Resolution standards have been updated to mandate a minimum of 1080p at primary entry points, with facial recognition-capable resolution required at specific high-security zones for qualifying facilities.

  • Minimum 30-day video retention for all covered camera locations
  • 90-day retention required at primary entry/exit points
  • Off-site or cloud backup of footage mandated for disaster resilience
  • Annual camera coverage audit required with documented findings
  • NVR/DVR systems must support encrypted storage and transmission

Incident Reporting

One of the most operationally significant changes involves mandatory incident reporting timelines. Security incidents meeting defined threshold criteria — including unauthorized access attempts, system failures exceeding four hours, and any physical intrusion — must now be reported to the designated federal portal within 72 hours of discovery. This represents a significant tightening from the previous 30-day reporting window.

■ Key Compliance Deadline

Initial compliance certification is required by September 30, 2026 for Tier 1 facilities. Tier 2 facilities have until December 31, 2026. Self-certification is not accepted — third-party assessment is required.

Compliance Timeline

The framework establishes a phased compliance schedule based on facility tier classification. Tier classification is determined by a combination of facility square footage, annual revenue, federal funding exposure, and sector designation.

Date Milestone Applies To
Jun 1, 2026 Self-assessment completion deadline — facilities must complete internal gap analysis and submit preliminary compliance roadmap All affected facilities
Jul 15, 2026 Third-party assessment engagement required — facilities must have a qualified assessor under contract Tier 1 & Tier 2
Sep 30, 2026 Full compliance certification deadline — third-party assessment complete, remediation implemented Tier 1 facilities
Dec 31, 2026 Full compliance certification deadline for Tier 2; Tier 1 penalty enforcement begins for non-compliant facilities Tier 2 facilities
Mar 31, 2027 Annual re-assessment cycle begins; incident reporting portal becomes mandatory for all covered facilities All tiers

What Facilities Are Affected

The expanded scope is one of the most consequential aspects of the 2026 update. Facilities should carefully review the following sector classifications to determine whether they fall within the framework's coverage:

  • Healthcare facilities receiving Medicare or Medicaid reimbursement above defined thresholds
  • Financial services institutions with federal deposit insurance
  • Defense contractors at all tier levels, including sub-contractors
  • Utilities operating under federal regulatory oversight (FERC, NRC)
  • Commercial real estate properties with federal agency tenants
  • Logistics and warehousing facilities in designated critical supply chains
  • Technology companies with federal cloud service contracts (FedRAMP authorized)

Recommendations for Facility Managers

Given the compressed timeline between publication and the initial compliance deadline, facilities should treat this as an immediate priority. The following steps represent a practical starting point for organizations that have not yet begun their compliance planning:

  • Determine your tier classification — review the CISA guidance document and use the online classification tool to establish your compliance tier and associated deadlines
  • Conduct a physical security gap assessment — compare your current access control, CCTV, and incident reporting posture against the new minimum standards
  • Engage a qualified third-party assessor early — qualified assessors are already reporting capacity constraints; delaying engagement risks missing the July 15 engagement deadline
  • Budget for remediation — facilities with legacy access control systems and analog CCTV infrastructure should anticipate significant capital expenditure
  • Review vendor contracts — ensure your current security systems vendors can support FIPS 201-3 compliant upgrades within the required timeline

The Consultant's Perspective

From a consulting standpoint, the 2026 framework update is a long-overdue reckoning with the reality that physical and electronic security have converged. The previous framework was designed in an era when access control and CCTV were largely standalone systems. The new requirements implicitly acknowledge that modern facilities require integrated platforms — and that the patchwork of legacy systems many organizations are running is no longer acceptable.

The 72-hour incident reporting window is particularly significant. Organizations that lack real-time monitoring capability — whether through an internal SOC or a contracted monitoring provider — will struggle to meet this requirement. We anticipate this provision alone will drive substantial investment in monitoring infrastructure over the next 18 months.

Independent security consultants play a critical role in this environment. Unlike security integrators who have a financial stake in specific product recommendations, independent consultants can evaluate your actual risk posture, identify the most cost-effective path to compliance, and serve as your advocate in the third-party assessment process. If your organization has not yet engaged independent counsel on this framework, the time to do so is now.