How to Meet PE.L2-3.10.3

Requirement

Show: PE.L2-3.10.3 – Escort visitors and monitor visitor activity. This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.

Understanding the Requirement

This control requires you to manage visitors from the moment they arrive until they leave: verify who they are, log their entry and exit, clearly identify them as visitors, escort them in non-public or sensitive areas, and monitor what they do while on site. The goal is to prevent unauthorized physical access to systems and information by ensuring visitors are known, supervised, and recorded throughout their stay.

Policies and Procedures Needed

Create a visitor management policy that defines “visitor,” “public,” and “sensitive/non-public” areas; requires sign-in/sign-out; mandates visible, uniquely identifiable visitor badges; and assigns escorts for any visitor entering non-public spaces. Add procedures for reception/front desk operations, badge issuance and return, escort responsibilities, access exceptions (e.g., contractors), surveillance/monitoring practices, record retention for visitor logs, and periodic review. Include staff training so everyone understands how to challenge unescorted visitors and how to respond to violations.

Technical Implementation

• Establish a visitor log (paper binder or simple visitor management app) capturing: visitor name, organization, person/department visited, purpose, time in/out, badge number, and escort name. Set a retention period (e.g., 12 months) and store logs securely.
• Issue clearly distinct visitor badges that are visibly different from employee badges (e.g., red stripe) and, if possible, date-limited or expiring. Require badges to be worn above the waist and returned at checkout; reconcile issued vs. returned daily.
• Define and label sensitive/non-public areas with signage and physical controls (locked doors, access cards, keypad codes). Configure access control systems to log door events and restrict visitor badges from opening doors.
• Assign escorts (trained employees) responsible for keeping visitors within approved areas, preventing unsupervised access, and ensuring sign-out. Maintain an escort roster by department and ensure coverage during business hours.
• Monitor visitor activity with a combination of active supervision and passive measures: reception sightlines, camera coverage of entries/corridors, and periodic “challenge” checks. Document exceptions or incidents and review them in a monthly facilities/security meeting.

Example in a Small or Medium Business

A 60-person engineering firm expects a client team to arrive at 10:00 AM. The receptionist verifies their IDs, has them sign the visitor log capturing names, company, host, purpose, badge numbers, and start time, and hands out red visitor badges that expire at the end of the day. The assigned escort from the engineering team meets them and walks them through to a conference room, reminding them they must not enter labs or the server room without the escort. Interior doors to non-public areas are controlled by badge readers, and visitor badges cannot unlock them. Throughout the visit, the escort accompanies the clients to restrooms and ensures any screen with sensitive data in adjacent spaces is locked or shielded. Before leaving, the clients return their badges at reception and sign out; the receptionist reconciles badges and files the log in a locked cabinet. That afternoon, the office manager spot-checks the log and access-control events to confirm there were no unescorted movements into restricted spaces.

Summary

By implementing a clear visitor management policy, training staff, issuing distinct visitor badges, enforcing escorts in non-public areas, and maintaining accurate entry/exit records, SMBs can reliably control and monitor visitor activity. Physical controls and surveillance reinforce the escort process, while routine reviews of logs and incidents help keep the program effective. Together, these measures reduce the risk of unauthorized access to systems and information and demonstrate consistent compliance with the requirement.