Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - PE.L2-3.10.4 – Maintain audit logs of physical access.
Understanding the Requirement
This control requires your organization to keep reliable records showing who entered and exited your facilities so you can verify that only authorized people gained access and detect suspicious activity. The objective is straightforward: audit logs of physical access are maintained so that security teams can review access events (for example, late-night entries) and correlate them with other security data to identify potential incidents.
Technical Implementation
- Choose and deploy an access logging method: For many SMBs, a simple, low-cost approach is a mandatory sign-in/out log at reception or a digital kiosk that timestamps entries. For stronger assurance, install an electronic access control system (keycard, fob, or mobile credential) that records user ID, door, and timestamp for every entry and exit. Select a solution that fits your budget and scale.
- Ensure accurate timestamps and event detail: Configure all physical access devices and log systems to use a reliable time source (NTP). Logs should capture at minimum: person identifier (card ID or username), door or zone, event type (entry/exit/deny), date and time, and any supervising staff or escort notes for visitors.
- Protect and centralize logs: Route electronic access logs to a central, write-once or append-only storage location (on-premise SIEM, log server, or cloud log archive). For paper sign-ins, scan and store daily into a protected file share. Limit who can modify or delete logs—assign an owner and enforce role-based access to the log repository.
- Retention, backups and integrity: Define a retention policy (e.g., 1–3 years depending on contractual or regulatory needs) and implement automated backups. Use checksums, versioning, or WORM-style storage where possible to detect tampering. Maintain a simple change-log for any administrative actions on the log repository.
- Regular review and escalation: Establish a routine review cadence (weekly for small sites, daily for higher-risk environments) and a process for investigating anomalies (unknown card use, after-hours access). Tie review activities to incident response: who will investigate, how evidence is preserved, and how findings are reported to leadership.
- Operational controls and training: Implement visitor policies (sign-in, badge issuance, escort requirements) and staff training so employees know how to log access, report lost cards, and recognize suspicious patterns. Assign clear responsibilities: physical access owner, log custodian, and reviewer.
Example in a Small or Medium Business
A 40-person engineering firm with a single office replaced an informal pen-and-paper sign-in with a badge-based access control system linked to a cloud log archive. Every employee was issued a proximity badge tied to their name in the HR roster; reception kept temporary visitor badges recorded in the same system. The access control records include badge ID, door name, timestamp, and whether the entry was granted or denied. The IT manager configures NTP to ensure timestamps are consistent and exports logs nightly to an encrypted backup. The security lead reviews after-hours and weekend access weekly and investigates any access that occurs outside normal schedules; one late-night entry triggered a follow-up that revealed a contractor working overtime with permission, which was documented and closed. Visitor logs are retained for one year and employee access logs are retained for three years to meet contractual requirements; copies are stored offsite and protected against deletion. Staff sign an access policy during onboarding and reception staff are trained to verify IDs and escort visitors when required, creating multiple checks that preserve both safety and evidence for audits.
Summary
Maintaining audit logs of physical access is achievable for SMBs with clear policy, appropriate technology, and simple operational controls. By selecting a logging method that matches your risk and budget (from paper logs to electronic badge systems), centralizing and protecting those records, enforcing retention and review procedures, and training staff on visitor and badge handling, you create an auditable trail that demonstrates who entered your facilities and when. Those combined policy and technical measures provide the evidence needed to detect suspicious activity, support incident investigations, and meet the requirement.
