This post explains how small businesses and contractors can prepare robust evidence and audit trails to satisfy PE.L2-3.10.2-style assessments under compliance frameworks such as NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2—covering exactly what to collect, how to collect it securely, how to document chain-of-custody, and how to present evidence to an assessor so the control is demonstrably implemented.
What PE.L2-3.10.2 typically requires and what to gather
Although the control language varies slightly between frameworks, PE.L2-3.10.2 is focused on monitoring and recording physical access activities to areas that protect Controlled Unclassified Information (CUI). For assessment evidence, collect: access control system exports (badge/credential events), visitor logs, CCTV clips or metadata for relevant windows of time, access control configuration screenshots, policy and procedure documents detailing monitoring and retention, time-synchronization settings (NTP/Chrony), and any SIEM/aggregation rules that process those logs. Make sure each item is accompanied by metadata (time range, extraction method, and custodian).
How to create an evidence package (templates and structure)
Use an evidence index spreadsheet as the central manifest. Columns I recommend: Evidence ID, Control Reference (PE.L2-3.10.2), Source System (e.g., Kisi, Brivo, Honeywell), File Name/Path, Time Range, Export Command or UI Steps, Hash (SHA256), Retention Location (S3 bucket or secure file share), Custodian Name, Date Extracted, and Comments. Include a signed attestation from the IT/security manager that the extraction process is complete and unaltered. Example entry: EVID-001, PE.L2-3.10.2, Kisi, kisi-events-2026-03-01_03.csv, 2026-03-01 00:00—2026-03-01 23:59, Kisi UI Export > CSV, SHA256: abc123..., s3://company-evidence/2026/03/, Alice Jones, 2026-03-05, "Contains badge open events for secure area."
Practical extraction commands and technical details
Provide reproducible extraction commands or UI steps for each system. Examples small businesses can use: for Windows Security events (badge reader integration via Security logs) run PowerShell: Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime='2026-03-01'; EndTime='2026-03-02'} | Where-Object { $_.Id -in 4624,4634 } | Export-Csv C:\evidence\win-log-20260301.csv -NoTypeInformation. For Linux-based door controllers that write syslog to /var/log/door.log, extract a day: awk '/2026-03-01/ && /badge/ {print}' /var/log/door.log > /tmp/door-20260301.log and then compute a SHA256: sha256sum /tmp/door-20260301.log > /tmp/door-20260301.log.sha256. For cloud-managed providers, use their API: curl -H "Authorization: Bearer $TOKEN" "https://api.kisi.com/v1/events?from=2026-03-01&to=2026-03-01" -o kisi-20260301.json. Include the exact API query in the evidence index so assessors can reproduce results.
Protecting the integrity of evidence — chain of custody and storage
Never hand over raw evidence without integrity controls. For each file: compute SHA256, record the hash in the evidence index, and then store the artifact in immutable or versioned storage. For small businesses, use S3 Object Lock (governance mode or compliance mode depending on policy) or an enterprise backup with WORM/immutable snapshots. Encrypt at rest with AES-256 and in transit with TLS 1.2/1.3. Maintain a minimal chain-of-custody form that lists the extractor, date/time, extraction commands, hash, where files were moved, and signatures (digital or printed) for each transfer. If physical media is used (e.g., USB drive with CCTV export), photograph the drive, label it, compute hashes of the files, and store the drive in a locked, access-controlled location.
Time synchronization and timestamp normalization
Assessors will check that timestamps are reliable. Document and export NTP/Chrony configuration for each device that produces physical access logs. Example: /etc/chrony.conf should point to reliable NTP pools (e.g., pool.ntp.org or an internal stratum-1). For mixed environments, include a normalization step (e.g., convert all timestamps to UTC in exports). Provide proof of NTP sync status: chronyc tracking output or w32tm /query /status output. If cameras store local timestamps in a different timezone, include conversion mapping and an explanation in your evidence index.
Real-world small business scenarios
Scenario A: A 20-person subcontractor uses Kisi for badge access and Ring cameras for entryways. Evidence package: Kisi daily CSV exports for the assessment period, Ring video clips for flagged events, a screenshot of Kisi access control list showing assigned roles, Chrony config from their Linux server acting as NTP, S3 upload with Object Lock enabled, and a signed attestation. Scenario B: A small defense supplier uses a hosted access control (Brivo) and an on-prem DVR. They export Brivo logs via API, export DVR footage for the timestamps identified in the badge logs, compute SHA256 sums for footage files, and store both in a locked Azure Blob with immutability policy. These examples show how cloud and on-prem pieces must be combined, time-normalized, and documented.
Compliance tips, common pitfalls, and the risk of not implementing this control
Tips: automate exports where possible, keep retention aligned with policy, keep an evidence index with reproducible extraction commands, and practice the assessor workflow before assessment day. Common pitfalls: missing timezone conversions, relying on screenshots without raw exports, no hash or chain-of-custody, and short retention periods that cause missing evidence. Risks of not implementing: inability to prove physical access controls for CUI areas, failed assessment, contract debarment or lost contracts, potential CUI compromise, and regulatory or contractual penalties. From an operational perspective, lack of logs also impedes incident response and increases detection time for unauthorized access.
Summary: Prepare a structured evidence package with an evidence index, reproducible extraction commands, cryptographic hashes, chain-of-custody records, and immutable storage; include NTP verification and normalization, and collect supporting policy and configuration screenshots. For small businesses, use managed services' APIs for exports, enforce retention via cloud immutability features, and practice the evidence handoff to an assessor. Doing these steps will materially increase the likelihood of passing a PE.L2-3.10.2 assessment and protect your organization from the operational and contractual risks of inadequate physical access auditing.
