This post provides concrete, prioritized actions, technical settings, and ready-to-use log templates to help small businesses harden physical access logging and meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PE.L2-3.10.4, covering what to log, how to collect and secure logs, alert rules to implement, and low-cost implementation paths.
Why physical access logging matters (and the compliance connection)
PE.L2-3.10.4 requires organizations to maintain and protect audit/log records for physical access events to support investigations and hold individuals accountable; without reliable logs you lose the ability to prove who entered spaces, correlate security incidents, and demonstrate compliance to assessors. For small businesses processing Controlled Unclassified Information (CUI), failing to implement durable, tamper-resistant physical access logs increases the risk of data exfiltration via in-person attacks, social engineering, or insider threats and can lead to contract penalties or loss of DFARS/CUI privileges.
Core implementation steps — inventory, standardize, and centralize
Step 1: Inventory every physical access source and define responsibilities. Include badge readers, door controllers, turnstiles, vault sensors, glass-break sensors, mantraps, visitor kiosks, elevator controls, and CCTV system event logs (not just video). For each device record vendor/model, firmware, logging capability (syslog/SFTP/API), local time source, and who owns it (facilities, IT, security). This inventory becomes your compliance artifact and drives collection architecture.
Log schema & templates (use these exactly to ensure consistent records)
Step 2: Standardize a schema so disparate devices can be normalized for storage and search. At minimum, require fields: timestamp (UTC, ISO8601), device_id, device_type, event_type, user_id/badge_id, user_display_name (if available), location_id, door_name, event_result (granted/denied/forced_open), reader_ip, firmware_version, and event_hash. Below are sample templates and entries you can drop into a collector or SIEM ingestion pipeline.
CSV header template:
timestamp_utc_iso,event_id,device_id,device_type,location_id,door_name,badge_id,user_name,event_type,event_result,reader_ip,firmware_version,event_hash,notes
2026-04-12T14:22:03Z,evt-000001,doorctrl-01,door_controller,site-nyc,floor1-main,BDG-1024,SmithJ,card_present,granted,10.1.1.22,fw-3.2.1,sha256:ab12...,normal access
JSON schema example:
{
"timestamp": "2026-04-12T14:22:03Z",
"event_id": "evt-000001",
"device": { "id": "doorctrl-01", "type": "door_controller", "firmware": "fw-3.2.1", "ip": "10.1.1.22" },
"location": { "site": "site-nyc", "door": "floor1-main" },
"subject": { "badge_id": "BDG-1024", "name": "SmithJ" },
"event": { "type": "card_present", "result": "granted" },
"event_hash": "sha256:ab12...",
"notes": "normal access"
}
Secure collection, timestamping, and integrity
Step 3: Centralize logs as close to source as possible and secure the transport. Configure devices to push logs to a dedicated collector (syslog-ng, fluentd, WEC/Winlogbeat for Windows-based controllers) over TLS or use the vendor API over HTTPS. Enforce UTC timestamps and NTP (or PTP) sync for all devices; log time drift is a common cause of failed investigations. For integrity, compute and store an event hash (e.g., SHA-256 of the canonical JSON) and archive raw logs into write-once stores (object lock in S3 or WORM on on-prem appliances) so entries cannot be altered without detection.
Retention, access control, and separation of duties
Step 4: Define retention and access policies tuned to your risk and contract requirements. Practical baseline for small businesses: keep high-fidelity physical access logs (door events, forced-entry, denied access) for 1 year online and an additional 2 years archived offline (3 years total), with critical incident logs retained longer as needed. Implement RBAC so only designated security and compliance personnel can query or export logs; separate the facilities admin role (who manages devices) from the security analyst role (who reviews logs) to meet separation-of-duties expectations.
Monitoring, alerting, and incident linkage
Step 5: Implement a small set of actionable alerts and daily review tasks. Examples of immediate alerts: multiple denied badge swipes for the same badge within 5 minutes, door forced open, access outside of authorized schedule, badge used at two doors simultaneously (impossible travel), and disabled credential usage. Feed physical logs into a SIEM or lightweight alert engine (Wazuh, OSSIM, Splunk) and add correlation rules to match CCTV motion events and badge access. Example Splunk-style search to find after-hours badge usage:
index=physical_logs event_result=granted NOT ((hour>=08 AND hour<18) AND weekday>=1 AND weekday<=5) | stats count by badge_id, user_name, location, date_mday
Document an evidence-handling process for incidents: preserve raw logs, export a signed copy (include event_hash), capture related video, note who accessed evidence, and file incident reports. This chain of custody is key for audits and forensic credibility.
Small-business scenarios & practical low-cost options
Scenario: A 25-person engineering firm with badge readers and IP cameras. Quick wins: enable syslog/TLS on badge readers, forward logs to an inexpensive EC2/VM collector, enable NTP, configure daily exports to S3 with Object Lock enabled for immutability, and use an open-source SIEM (Wazuh/ELK) to implement the 5 alert types above. Example: if you use a cloud-managed access control provider, enable API exports and schedule automated pulls to your collector. For staffing constraints, set up automated email/SMS alerts for critical events and a weekly review checklist assigned to a named employee — these are tangible artifacts for your assessor and improve detection.
Summary
Meeting PE.L2-3.10.4 is about predictable, verifiable logging: inventory your sources, normalize logs using a consistent schema, secure transport and storage, enforce timestamps and integrity, implement retention and RBAC, and put a small set of high-value alerts and review processes in place. For small businesses this can be achieved incrementally — start by normalizing badge and door logs and forwarding them to a central, immutable store with basic correlation to CCTV; document everything and use the provided templates and queries to show assessors that you can detect, investigate, and retain physical access events effectively.
