This post explains how to implement PE.L2-3.10.4—maintaining audit logs of physical access—under NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2, with practical steps, configuration details, and real-world examples tailored for small businesses handling Controlled Unclassified Information (CUI).
Understanding the requirement and objectives
At its core, PE.L2-3.10.4 requires organizations to create, maintain, and protect reliable audit logs that record who accessed physical spaces that house CUI and other sensitive assets. The objective in the Compliance Framework context is threefold: (1) provide an evidentiary record for investigations, (2) enable detection of anomalous or unauthorized physical access, and (3) support accountability for personnel and contractors. For small businesses this translates into a practical program covering sensors/readers, video correlation, timestamping, retention, integrity controls, and review processes tied to documented policies.
Step-by-step implementation
1) Identify assets, access points, and logging scope
Start by mapping all controlled areas (server rooms, CUI offices, storage cabinets) and every access point (main doors, mantrap doors, card readers, emergency exits with sensors). Create an inventory: door ID, physical location, type of reader (badge, biometric, keypad), camera IDs that cover the door, and the responsible owner. This inventory drives what you log—if a door has a badge reader but no camera, your log must capture badge ID, reader ID, event type (grant/deny), direction, and timestamp.
2) Choose and configure the logging technologies
Select a combination of an access control system (ACS) and a video management system (VMS) that support event export. Common commercial choices for small businesses include cloud-hosted ACS (e.g., HID Cloud, Kisi) or local controllers (e.g., Mercury/Lenel hardware). Ensure readers speak secure protocols (prefer OSDP over Wiegand), ACS exports events via syslog (TLS), API, or daily batch CSV. For video, pick VMS that can ingest events as metadata and create indexed clips. Configure each device to output a standardized event record: timestamp (ISO 8601, UTC), device ID, reader ID, card/badge id (hashed if necessary for privacy), user name, event code, result, and correlation pointer to camera clip ID.
3) Ensure accurate time, format, and secure transmission
Time integrity is critical—configure all controllers, readers, and cameras to use authenticated NTP (Network Time Protocol) or PTP, and log timestamps in UTC using ISO 8601 (e.g., 2026-04-17T14:32:05Z). Use structured log formats (JSON or key=value) to facilitate ingestion into log management. Transport logs over secure channels—syslog over TLS or HTTPS APIs—to a centralized collector or SIEM (e.g., Splunk, Elastic Stack, Graylog). For small shops with limited budget, a hosted log aggregator that supports TLS and retention policies is a viable option.
4) Storage, retention, and integrity controls
Define and implement a retention policy aligned with contract requirements—common practical defaults are 90 days of quick-access online logs, 1 year on encrypted archive, and 3 years for legal/contractual evidence using write-once-read-many (WORM) storage (e.g., S3 Object Lock). Protect logs at rest using AES-256 encryption and restrict access via RBAC. Compute and store hashes (SHA-256) of daily log bundles, store hashes separately, and periodically verify to detect tampering. Maintain backups (offsite or cloud) and document the retention/backup schedule in your Compliance Framework artifacts (SOPs, System Security Plan).
5) Monitoring, review cadence, and integration with incident response
Implement automated detection rules for suspicious events (after-hours access, repeated access denials, door forced open) and route alerts to an on-call responder. Establish manual review cadences—weekly reviews for exceptions, monthly trending, and quarterly audits tying logs to personnel access records. Integrate log review procedures into your incident response plan: when an alert becomes an incident, correlate badge events with camera footage, HR records, and visitor logs, then preserve a forensic copy of relevant logs with chain-of-custody documentation.
Small business scenario: 50-person defense subcontractor
Example: Acme Subcontracts has two CUI rooms and a server closet. Implementation steps: (1) install two door controllers with OSDP readers and one backup magnetic contact sensor; (2) deploy a VMS with cameras over each door; (3) centralize events to a cloud SIEM (Elastic Cloud) via syslog over TLS; (4) configure logs to be JSON formatted with fields: timestamp, UTC, readerID, userID, outcome, cameraClipID; (5) retention set to 90 days hot, 18 months cold (S3 Glacier), hashes stored in a secure vault. Cost-effective choices: hosted ACS subscription (~$30–$60/user/year), used VMS license, and a modest SIEM ingest plan. Operationalize by creating SOPs for badge issuance, deprovisioning within 24 hours of termination, and weekly log review assigned to the facility manager.
Compliance tips and best practices
Document everything: SOPs for logging, retention, review, and incident handling; include log sources in the System Security Plan and map them to PE.L2-3.10.4. Test log integrity and recovery by performing quarterly restore drills. Minimize single points of failure: dual-path logging (ACS + camera metadata) helps when one source is unavailable. Keep user provisioning and deprovisioning tight—automate deprovisioning via HR/identity workflows. Finally, run periodic tabletop exercises simulating tailgating or badge cloning to verify your logs produce the evidentiary chain you need.
Risks of not implementing this control correctly
Without reliable physical access logs you cannot effectively investigate unauthorized entry or prove who accessed CUI spaces—this increases the risk of data exfiltration, contract non-compliance, failed audits, monetary penalties, and loss of DoD contracts. Operationally, lack of logs prolongs incident response and remediation, increases forensic costs, and erodes trust with prime contractors. From a legal perspective, insufficient logs may prevent demonstrating due care in the event of a breach.
Summary: Implementing PE.L2-3.10.4 requires an inventory-driven approach, secure and standardized logging from readers and cameras, synchronized timestamps, protected and immutable storage, and defined review and incident procedures. For small businesses, a mix of cost-conscious commercial ACS/VMS, secure cloud log aggregation, retention with WORM options, and clear SOPs will meet Compliance Framework expectations while enabling fast, reliable investigations—start with inventory and time sync, then centralize and protect logs, and bake log review into regular security operations.
