Physical access audit logging is a foundational control for organizations that handle controlled unclassified information (CUI) — it makes physical entry and exit events discoverable, verifiable, and actionable, which CMMC 2.0 Level 2 / NIST SP 800-171 Rev.2 require for an auditable security posture (PE.L2-3.10.4); this post provides a practical policy blueprint, implementation checklist, and small-business templates you can adapt immediately.
Understanding the Requirement (PE.L2-3.10.4)
The core objective of PE.L2-3.10.4 is to ensure that physical access is logged in a way that supports detection, investigation, and post-event analysis. In practice this means capturing a reliable record of who attempted or gained access to protected spaces (server rooms, CUI storage, production bays), when it happened, the outcome (success/failure), and contextual metadata (device ID, location, associated CCTV or badge images). The policy you write should define scope, required events, minimum log fields, retention, protection, and review cadence.
Practical Implementation Steps
Policy Elements to Include
Your written policy should be short, prescriptive, and auditable. Required sections: Purpose & scope, Roles & responsibilities (Physical Security Manager, System/Facility Owner, IT Log Admin), Events to log, Minimum data fields, Time synchronization requirements, Retention & archival, Access controls for logs, Integrity controls, Alerting & review frequency, Incident escalation, and Record destruction rules. Example: "All badge/reader events, door forced-open alarms, and tamper events for rooms storing CUI must be logged and retained per this policy."
Technical Implementation (what to capture and how)
Capture events from access control panels, door readers, turnstiles, motion sensors, and CCTV systems. Minimum technical fields: ISO8601 UTC timestamp, event_type (badge_read, door_open, forced_entry, alarm), device_id (controller serial), reader_id, user_id / badge_id (hashed when needed), access_result (granted/denied), method (prox, PIN, biometric), location_id, event_sequence, and an optional linked_media_id (CCTV clip identifier). Use reliable transport (syslog over TLS, HTTPS API) to a centralized collector or SIEM. Ensure NTP-secured time sync, store logs in append-only form (WORM/S3 Object Lock or write-once file systems), and use digital signatures/HMAC per-file to detect tampering.
Small Business Scenarios and Examples
Scenario A — 25-employee defense consultant with cloud access control: Use the cloud vendor's event export to send badge events to an AWS account (CloudWatch or S3). Configure an AWS Lambda to normalise events into JSON lines and store daily compressed files with S3 Object Lock for a 1-year retention, and replicate monthly to a long-term cold archive (Glacier) for longer legal holds. Ensure logs are only accessible to a security role with MFA.
Scenario B — 10-employee lab with on-prem door controllers and DVR: Deploy a small Linux syslog server or Raspberry Pi as a collector. Configure door controllers and DVR to forward logs via TLS syslog, convert proprietary DVR metadata to JSON with a parser, and push daily bundles to an encrypted offsite backup (S3 or an MSP). Use an inexpensive SIEM (OpenSearch/Elastic) for automated alerts like multiple denied badges within 5 minutes or door forced-open events.
Checklist — Minimum Policy and Operational Controls
Use this operational checklist when drafting or auditing your policy (mark each as Policy / Configured / Tested):
- Policy defines scope of physical spaces and devices to be logged
- List of events that must be recorded (badge reads, door opens, denied attempts, forced entries, tamper alarms, visitor escorts)
- Minimum log fields specified and mapped to each device type (timestamp UTC, device_id, reader_id, badge_id)
- Time synchronization (NTP over authenticated sources) mandated
- Centralized log collection and secure transport (syslog-TLS/HTTPS) configured
- Retention defined (e.g., 1 year online, 7 years archived) and aligned to contractual/DFARS obligations
- WORM/archive protection or object lock for baseline integrity
- Access controls for log data and separation of duties for reviewers
- Automated alerting and weekly/monthly review processes with documented sign-off
- Incident response and chain-of-custody steps for seized logs or forensic use
- Periodic integrity checks (hashes, HMAC) and restoration tests
Policy and Template Language (copy/paste ready)
Policy excerpt — Purpose & scope: "This policy requires the collection, protection, retention, and review of physical access audit records for all facilities and enclosures that store or process CUI. The policy applies to all employees, contractors, and third-party providers operating physical access devices that control entry to such spaces."
Procedure excerpt — Event handling: "All access control devices shall forward events in near real-time to the organization's centralized log collector using TLS. Each event must include ISO8601 UTC timestamp, device_id, reader_id, badge_id (or anonymized identifier), access_result, and link to any associated CCTV clip. The Physical Security Manager will review aggregated alerts weekly and perform a full monthly audit of events for critical enclosures."
Compliance Tips and Best Practices
Use ISO8601 UTC timestamps and enforce NTP from a secure source to prevent timezone or drift issues during investigations. Normalize log formats at ingestion — prefer JSON or CEF for easy parsing. Implement retention based on risk and contract: a common practical baseline is 1 year retained online with secure archival for 3–7 years for organizations with long-term contractual obligations. Test your forensic readiness with an annual tabletop: simulate a forced-entry event and verify you can retrieve the badge history, door controller logs, and corresponding CCTV within a defined timeframe (e.g., 24–48 hours).
Risk of Not Implementing the Requirement
Failure to log physical access reliably increases the risk of undetected unauthorized access to CUI, weakens your ability to investigate security incidents, and may result in contract noncompliance that can lead to contract loss, penalties, or exclusion from future government contracting. Operationally, lack of logs hinders root cause analysis — you cannot prove who accessed a space, when, or whether an insider action preceded data exfiltration. From an insurance and legal perspective, missing logs often mean missed opportunities to limit liability.
In summary, a compliance-ready physical access audit log policy is achievable for small organizations by following a practical template: clearly define scope and events, centralize and protect logs, enforce time synchronization and integrity checks, set realistic retention aligned to contracts, and automate reviews and alerts. Implement the checklist, adapt the policy excerpts above, run a tabletop exercise, and you will have a defensible, auditable posture aligned to NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 PE.L2-3.10.4.
