This post provides a concrete, step-by-step implementation checklist to help small businesses meet the Compliance Framework expectations of FAR 52.204-21 and CMMC 2.0 Level 1 (Control PE.L1-B.1.IX) for escorting visitors, monitoring activity, and managing access devices—covering policies, technical controls, evidence artifacts, and practical examples you can use today.
Checklist overview and objectives
Your objective under FAR 52.204-21 / CMMC Level 1 is straightforward: prevent unauthorized physical and logical access to Controlled Unclassified Information (CUI) and associated systems by (1) escorting visitors in sensitive areas, (2) monitoring activity that interacts with CUI or systems containing CUI, and (3) managing access devices (badges, tokens, mobile devices, removable media). The checklist below maps policy, operational, and technical implementation steps to evidence artifacts auditors expect: documented procedures, logs, inventories, and periodic reviews.
Step 1 — Policy, roles, and documented procedures (start here)
Create a short, specific policy titled "Visitor, Monitoring, and Access Device Management" that defines scope (areas and systems with CUI), responsibilities (facility manager, ISSO, receptionist), and enforcement. Required elements: escort requirement for unbadged visitors, visitor sign-in procedure, temporary badge issuance and expiration (example: temporary badges auto-expire after 8 hours), CCTV and log retention period (recommended baseline: 90 days), and device inventory/MDM enrollment requirements. Evidence: signed policy, training records, and a documented owners list (names and contact info for the person who approves escorts and who manages device inventory).
Step 2 — Implement visitor control and escorting
Operationalize escorting with simple, low-cost controls: central reception, physical barriers (locked doors to CUI areas), temporary visitor badges with distinct coloring, and a visitor log (electronic or paper) capturing name, organization, date/time in/out, escort name, and areas visited. For small businesses: use a tablet-based sign-in app or a cloud form (encrypted at rest) that timestamps entries and exports CSV for audit. Make escorts accountable — require escorts to remain within arm’s-length where appropriate and to sign that they logged the visitor out. Evidence: visitor log exports, badge issuance records, screenshots/configuration of sign-in app, and photographic examples of badge design that differentiates visitors from staff.
Step 3 — Monitor activity and collect evidence
Monitoring combines physical and logical monitoring. Physically, deploy cameras in entryways and CUI-handling spaces (avoid cameras in bathrooms or changing areas). Configure camera retention (e.g., 90 days) and secure storage (WPA2/WPA3 for IP cameras, unique admin passwords, firmware updates scheduled). Logically, collect access logs from card readers, VPN/remote access, and endpoints. For Windows endpoints, enable Windows Event Forwarding or collect relevant logs to a centralized syslog/SIEM-lite (e.g., OSSIM, Graylog, or cloud log archive). Retain logs per policy and generate weekly summaries showing successful vs. failed access attempts. Evidence: camera retention settings, exported access logs, and periodic monitoring reports showing review actions.
Step 4 — Manage access devices (badges, tokens, mobile, and removable media)
Maintain an up-to-date inventory of physical access devices and mobile endpoints. For badge readers: assign unique IDs tied to employee records and configure automatic deactivation on termination or after a set inactivity period (recommend 24–72 hours to disable after HR triggers). For mobile devices and laptops: require Full Disk Encryption (BitLocker/FileVault), enforce screen lock, and enroll devices in an MDM solution (e.g., Microsoft Intune, Jamf, or a lightweight MDM for BYOD). For removable media: block or control USB mass storage with endpoint controls or MDM, and require pre-approved encrypted media when data transfer is necessary. Evidence: device inventory spreadsheet, MDM enrollment lists, screenshots of encryption/enforcement policies, and a sample deprovisioning ticket demonstrating badge/token disablement.
Step 5 — Technical implementation details and automation
Small businesses can combine inexpensive tools to meet technical needs: use cloud-managed door controllers that integrate with directory services (Azure AD / LDAP) so access rights align with HR status; enable API-based deprovisioning to revoke badges when HR changes a user’s status. Forward logs via syslog or API to a central store and set up automated retention rules. Configure multi-factor authentication for administrative access to access control and camera systems, and restrict management interfaces to a jump-host on a secured VLAN. Evidence: integration diagrams, API logs showing deprovisioning events, and MFA configuration screenshots.
Real-world small-business scenario
Example: A 25-person contracting office handling CUI sets policy requiring reception to issue color-coded visitor badges and to log every visitor in a tablet sign-in app (exports daily). The facility installs two IP cameras covering the main entrance and CUI room door (90-day retention, firmware auto-update scheduled monthly). All staff laptops are BitLocker-encrypted and managed by Intune; removable media is blocked by policy, with exceptions using company-approved encrypted drives held by the ISSO. HR triggers automatic badge disablement through an automated workflow that calls the door controller API when an employee’s AD account is disabled. Evidence is collected weekly: visitor CSV export, access logs, MDM enrollment report, and a monthly review signed by the ISSO.
Risks of non-implementation and compliance tips
Failing to escort visitors, monitor activity, and manage access devices increases the risk of CUI exposure, unauthorized copying of sensitive files (via USB), and social engineering attacks (unauthorized tailgating). Consequences include contract penalties, loss of future government work, reputational damage, and mandatory incident reporting. Practical compliance tips: appoint a single evidence owner who collects artifacts monthly; run quarterly escorting and tailgating drills; use time-limited temporary accounts and badges; document every exception with approval and compensating controls; and implement simple automation to ensure access revocation happens reliably when personnel changes occur.
Summary: Implementing PE.L1-B.1.IX for FAR 52.204-21 / CMMC Level 1 is achievable by small businesses through clear policies, low-cost physical controls (badges, reception, cameras), basic logging and retention, and device management via MDM and inventory processes. Start with the written policy and an owner, then deploy visitor controls, centralize logs, and automate deprovisioning—collecting simple evidence artifacts (logs, inventories, screenshots) to demonstrate compliance during audits.
