Maintaining audit logs of physical access (PE.L2-3.10.4) is a practical, evidence-driven requirement under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 that ensures you can detect, investigate, and demonstrate control over who entered sensitive areas and when—critical for protecting Controlled Unclassified Information (CUI) and meeting contract obligations.
Understanding PE.L2-3.10.4 and key objectives
This control requires organizations to record and retain physical access events so they can reconstruct access activity during incidents and audits. Key objectives are: 1) generate reliable access events (who, where, when, result), 2) protect the integrity and availability of those logs, and 3) review and retain logs per policy so they support investigations and compliance reporting. For small businesses, demonstrating consistent, defensible logging is usually the difference between winning/keeping DoD contracts and failing an assessment.
Step-by-step implementation (practical overview)
Implementation is straightforward when broken into discrete steps: define scope, select or augment a Physical Access Control System (PACS), ensure secure log collection and storage, implement monitoring and regular review, and document retention and chain-of-custody procedures. Below are concrete actions and technical details you can apply immediately.
Step 1 — Define scope and inventory protected areas
Start by identifying all locations that house CUI or support systems subject to NIST/CMMC controls: server rooms, comms closets, HR files, and any locked cabinets. Create an asset register mapping each door/reader to an identifier (door_id) and owner. Define who is in-scope for logging (employees, contractors, visitors) and establish baseline retention requirements (e.g., minimum 1 year; check contract clauses—some require 3+ years).
Step 2 — Deploy or upgrade PACS and logging sources
Choose a PACS that can emit detailed audit records—card readers, mobile credentials, and door controllers should log events such as access_granted, access_denied, forced_open, held_open, and tamper_detected. For small businesses this can be a cloud-managed PACS (e.g., Kisi, Openpath) or an on-prem solution (HID, Honeywell) tied to controllers. Ensure devices support: time-synced timestamps (ISO8601 UTC), export via syslog over TLS or secure API, and include fields like timestamp, event_id, door_id, credential_id (or hashed), event_type, reader_id, and operator_id for manual overrides.
Step 3 — Collect, secure, and format logs
Pipe PACS logs into a central log collector or SIEM. Technical best practices: enforce NTP/chrony synchronization for all controllers and log servers, transmit logs over TLS (syslog-ng or rsyslog with TLS), store logs in append-only storage (WORM or object storage with immutable lifecycle), and apply server-side encryption (AES-256). Maintain an audit log schema (CSV/JSON) and include integrity protections—periodically compute SHA-256 hashes of log files and store the hashes in a separate, access-controlled location or sign them with an HSM-backed key for tamper evidence.
Step 4 — Monitoring, review, and incident integration
Implement automated alerts for critical events (e.g., repeated access_denied attempts, after-hours access, door-forced_open) with thresholds tuned to reduce false positives. Integrate physical logs with your SIEM or log-analysis tool (Splunk, Elastic/ELK, Graylog). Schedule weekly reviews for anomalous events and quarterly audits of retention and access controls. Document an escalation playbook: who investigates, how to correlate with CCTV, and how to preserve chain-of-custody for evidence.
Real-world small business scenarios and risks
Example: a 25-person engineering firm stores prototype designs in a locked lab. By adding badge readers to the lab, centralizing logs in an ELK instance, enabling TLS syslog, and retaining logs for 18 months on encrypted S3 with MFA delete, the company can demonstrate control during a CMMC assessment and quickly identify a contractor who accessed the lab out of schedule. Risk of non-implementation includes undetected unauthorized entry, inability to prove compliance in a DoD audit, contract loss, data leakage of CUI, higher breach remediation costs, and inability to perform forensic analysis after an incident.
Compliance tips and best practices
Practical tips: enforce least privilege for log access; separate duties so no single person can alter logs and also perform investigations; document policies that specify retention periods, hashing cadence, and acceptable deletion workflows; test restores and verify log integrity regularly; anonymize or hash personal identifiers where privacy laws apply but keep a mapping in a protected register for investigators; and, when using third-party PACS/cloud providers, obtain SOC2 reports or equivalent and include logging requirements in contracts.
Implementing PE.L2-3.10.4 doesn't require enterprise budgets—small businesses can start by hardening existing readers, centralizing exports to a modest log server or managed SIEM, enabling TLS and NTP, and documenting the processes. Focus on evidence: clearly labeled logs, consistent timestamps in UTC, immutable storage, routine reviews, and a documented incident response path that references physical-log evidence. That combination will satisfy assessors and materially reduce operational risk.
