This guide helps small businesses meet the Compliance Framework requirements in FAR 52.204-21 and CMMC 2.0 Level 1 (PE.L1-B.1.IX) by implementing practical visitor escort programs and access-device controls — providing policy language, low-cost technical controls, and real-world examples you can apply immediately.
What the control requires (high level)
The control focuses on preventing unauthorized physical and logical access to Federal Contract Information (FCI) and other sensitive assets by ensuring visitors are escorted in sensitive areas and access devices (badges, tokens, laptops, removable media) are managed, tracked, and revoked when necessary. For a small business under the Compliance Framework, this means formalizing procedures for sign-in, visible temporary credentials, supervised device usage, asset inventory, and rapid disabling/revocation of access when an item or person is no longer authorized.
Implementing a visitor escort program
Visitor policy and operational steps
Create a short, written visitor escort policy that lives in your compliance binder and on the intranet: require pre-registration where possible, ID verification at reception, issuance of time-limited visitor badges, and continuous escorting in designated secure areas. Define secure areas (where FCI is stored or accessed) and state clearly that visitors may never be left unsupervised near workstations or printers. Practical additions: a reception checklist, visitor non-disclosure acknowledgment, and a mandatory sign-out procedure.
Practical technical measures for visitor control
Use a combination of low-cost and built-in tech: a digital sign-in tablet (or paper log if necessary) that captures name, company, host, time in/out, and badge number; a simple badge printer (e.g., $200–$500 consumer models) to produce visually distinct visitor badges with expiration times; and a guest Wi‑Fi on a separate VLAN with client isolation and no access to internal file shares. For scheduled visitors who need system access, create time-limited accounts in Active Directory or your identity provider and set an automatic expiration (New-ADUser / Set-ADUser or Azure AD guest with expiry). Keep sign-in/exportable logs retained per contract; 12 months is a reasonable default for small businesses unless the contract specifies otherwise.
Access device controls: inventory, issuance, and revocation
Maintain an asset inventory (simple spreadsheet or free asset-tracking tool) with asset tags, assigned user, serial number, and current status. For access devices such as badges, tokens, and spare laptops, implement check-in/check-out procedures and require a signed acceptable-use form. For lost or stolen devices, document the incident, immediately revoke credentials (PACS console, AD account, VPN cert), and if a badge is reported lost, set that badge ID to "blocked" in your physical access control system. For small shops with no PACS, consider remote-disable features in cloud badge systems or plan rapid manual lock changes for highly sensitive areas.
Use a Mobile Device Management (MDM) or endpoint management solution (Microsoft Intune, Jamf for macOS, or a cost-conscious alternative) to enforce encryption (BitLocker/FileVault), require PINs/passwords, push screen-lock policies, and remotely wipe or lock devices. If a full MDM is out of budget, enforce local controls via Group Policy (Windows) and scripts: for example, disable USB mass storage by setting the UsbStor driver Start value to 4 (PowerShell: Set-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Services\\UsbStor' -Name 'Start' -Value 4) and configure a screen-lock timeout via GPO: Computer Configuration > Policies > Administrative Templates > Control Panel > Personalization (enable screen saver and password protect the screen saver).
Real-world examples and scenarios
Scenario 1 — Visiting DoD inspector: A DoD representative is scheduled to visit to review deliverables that include FCI. Your pre-registration process collects ID details; reception prints a visitor badge (clearly labeled) and escorts the visitor to the conference room on a separate corridor away from the workspace; the host disables file sharing on their laptop and uses an isolated conference system (guest laptop on a guest VLAN). After the meeting the visitor signs out; the host confirms no devices were left unattended and updates the sign-in log. This low-cost workflow addresses PE.L1-B.1.IX by limiting unsupervised exposure to sensitive systems.
Scenario 2 — Lost/stolen laptop: An employee leaves an unencrypted laptop in a rental car and reports it missing. Because your asset inventory tied the device to the employee and you use Intune/MDM with BitLocker enforced, you can: 1) set the device to 'lost' and remotely wipe it; 2) revoke the employee's VPN and domain credentials and rotate any service accounts that had credentials cached on that device; and 3) update incident logs for the contract officer. If the device were not controlled, the business risks data exfiltration, contractual breach, and loss of future work.
Risks of non-implementation and compliance best practices
Failing to implement visitor escorting and access-device controls increases risk of unauthorized access, data leakage, industrial espionage, and contractual penalties — and could directly violate FAR 52.204-21 obligations. Best practices: practice "least necessary" access for visitors and temporary accounts; automate expirations for visitor accounts; log all badge/asset events and keep them retrievable for audit; provide short annual refresher training for staff on escort rules and device handling; test incident response for lost/stolen devices and visitor-related breaches; and keep a changelog (who revoked which badge, when). Retain logs per contract or at least 12 months as a baseline and ensure your procedures map directly to the Compliance Framework requirements so evidence is audit-ready.
In summary, small businesses can achieve PE.L1-B.1.IX with modest investment by combining documented visitor escort policies, visible temporary credentials, segregated guest networks, asset tagging and inventory, and endpoint/device controls (MDM, Group Policy, remote wipe). Start with a written policy, a simple reception workflow, and a small set of technical controls you can enforce consistently — those steps will materially reduce risk and produce the evidence you need for FAR and CMMC Level 1 compliance.
