Preparing for an audit that covers FAR 52.204-21 and CMMC 2.0 Level 1 controls — specifically PE.L1-B.1.VIII — requires collecting concise, verifiable evidence that demonstrates consistent physical access controls and basic safeguarding of Federal Contract Information (FCI) within your environment; this post provides a practical evidence catalog, real-world small-business examples, technical tips for log collection and retention, and a step-by-step approach to packaging evidence for an auditor.
Understand what the auditor will look for
Auditors are looking for proof that your organization has implemented the physical access and basic safeguarding practices prescribed by FAR 52.204-21 and the corresponding CMMC Level 1 practice. For PE-related items this typically means: scoped boundaries where FCI is accessed or stored, documented access controls (who is authorized), visitor and contractor control procedures, and records showing these procedures are enforced (logs, badge records, escort practices). A good first step is a small "control traceability matrix (CTM)" that maps PE.L1-B.1.VIII to your policies, procedures, and the actual evidence file names/locations.
Concrete evidence you should assemble
Prepare a short evidence index (spreadsheet or PDF) that links control objectives to artifacts. Practical artifacts include: 1) Physical access policy or section of your information security policy; 2) Visitor sign-in logs (physical or electronic) with fields: visitor name, company, host, badge number, photo ID checked (Y/N), date/time in/out, and signature; 3) Badge/credential issuance records and deprovisioning checklist; 4) Chain-of-custody or media control logs if physical media transport is used; 5) Photos or diagrams showing controlled access points (door locks, server room); 6) CCTV retention statement and sample export (timestamped clip) demonstrating you can produce footage; 7) Staff training records showing personnel were briefed on physical security; 8) Incident logs showing response to an access violation, if any.
Evidence format and technical details
Use standard, auditor-friendly formats: CSV exports of badge system logs (fields: timestamp, badge_id, user_id, door_id, action), PDF policy documents with version/date, and MP4/AVI clips from CCTV with original timestamps intact. Ensure clocks on access control systems and CCTV are synchronized via NTP (document NTP server configuration and time zone). For electronic logs, provide checksums or signed exports to show integrity (SHA256 hash). Store evidence in a read-only directory or an export package with a manifest file listing filenames, sizes, and hashes.
Small-business scenarios and pragmatic implementations
Scenario A — small office with a single server closet: Lock the closet with a keyed or electronic lock, maintain a physical key issuance register, and keep an annotated photo of the closet door and lock type. Visitor sign-ins can be a paper log supplemented with a daily scanned copy stored on your internal file server. Scenario B — co-working space: Document how FCI is segmented — encrypted laptop storage, locked cabinet, and use of screen privacy filters — and supplement with lease language or building security policies showing your rights to control access to your space. Scenario C — remote workforce with occasional visits: Use a signed check-in sheet and host-attestation email for visitors; keep copies of ID verification (redact where necessary) and store them securely with access controls.
Operational best practices and audit-ready packaging
Follow these practical steps: 1) Create a one-page Control Evidence Index that maps PE.L1-B.1.VIII to artifact filenames; 2) Keep evidence for a minimum period you define in policy (90–365 days is common for CCTV and logs — choose based on risk and capacity) and document retention periods; 3) Redact personal information that’s not required for audit while preserving evidentiary elements (timestamps, host, purpose); 4) Pre-generate a ZIP package of sampled logs and accompanying metadata (who exported them, when, and using which account); 5) Maintain a point-of-contact document for the auditor with names, roles, and how to request further records.
Compliance tips and technical controls to automate evidence collection
Automate where possible: enable automatic exports from badge systems and configure retention policies in your video management system. Use access control systems that can export in CSV with clear timestamping. If relying on cloud services (e.g., access logs in Google Workspace or Azure AD), export the relevant audit logs and include a short diagram showing data flows and where FCI resides. Keep configuration snapshots (e.g., smart-lock firmware version, access control list exports) to show controls have been stable or properly updated.
Risks of not implementing or documenting the requirement
Failing to implement and document PE.L1-B.1.VIII exposes your organization to: unauthorized physical access to FCI (leading to exfiltration or tampering), contract loss or inability to win/retain DoD contracts, audit findings that can trigger Corrective Action Plans or suspension, and reputational harm. From a technical standpoint, missing logs or unsynchronized timestamps can render otherwise recoverable incidents unverifiable—an auditor will view incomplete evidence as non-compliance.
In summary, a compact, well-organized evidence package — policy, CTM, visitor/badge logs, proof of enforcement (training and incidents), time-synchronized logs or video exports, and a clear point of contact — will make it straightforward to demonstrate compliance with FAR 52.204-21 / CMMC 2.0 Level 1 (PE.L1-B.1.VIII). For small businesses, pragmatic controls (locked cabinets, keyed or badge access, signed visitor logs, and simple automated exports) combined with retention and packaging discipline will meet auditor expectations while minimizing operational overhead.
