What does PE.L2-3.10.3 require for CMMC Level 2?

You must escort visitors to areas with CUI systems. Visitors cannot walk around unattended. Someone authorized must be with them at all times to monitor their activity.

What evidence do I need for PE.L2-3.10.3?

Visitor policy document, sign-in logs or visitor records, photos of visitor badges if used, and documentation that escorts were assigned.

What's the most common failure for PE.L2-3.10.3?

Visitors roam freely, unescorted. Contractors work unsupervised in secure areas. Or you have no visitor policy at all. Implement a simple sign-in and escort process.

PE.L2-3.10.3

PE.L2-3.10.3: Escort Visitors

Escort visitors in secure areas and monitor their activity to prevent unauthorized access to CUI systems or facilities.

Updated March 30, 2026

A vendor comes to fix the printer. A contractor visits to upgrade equipment. Without escorting, they could walk into the server room or copy files. Escorting is simple: someone authorized is with them. You know where they are. You see what they do.

Family Physical Protection

Practice PE.L2-3.10.3

Difficulty Medium

Key evidence Visitor policy, sign-in logs, escort documentation

What the assessor is actually evaluating

The assessor is checking: (1) Do you have a visitor policy that requires escorts in secure areas? (2) Do you follow it? (3) Can you show recent examples of visitors being escorted? For small offices, this is straightforward. For larger ones, you might need a visitor badge system or sign-in log. What matters is that visitors don’t have unsupervised access to areas with CUI.

Focus on secure areas: server rooms, network closets, offices with CUI data, any space where CUI systems are located. This practice complements PE.L2-3.10.1 (limiting physical access) and PE.L2-3.10.2 (monitoring facility) to create layered physical protection.

What a realistic SSP definition looks like

PE.L2-3.10.3 Escort Visitors

All visitors to [Company] premises are required to sign in at the front desk or designated entry point. Visitors accessing secure areas (server room, CUI offices, etc.) are escorted by an authorized employee at all times.

The escort is responsible for:

Ensuring the visitor doesn’t access unauthorized areas
Monitoring the visitor’s activities
Ensuring the visitor doesn’t remove media or documents

Visitors are not permitted in secure areas without a signed access request and named escort. Visitor sign-in logs are maintained and reviewed. Escorts confirm in writing or via log that the visit was completed and the visitor departed.

How to present your evidence

Gather these items:

Visitor policy or procedure document
Recent visitor sign-in logs (past 6 months)
Examples of visitors escorted to secure areas with documented escorts
Visitor badge templates if used
Communication to staff about visitor escort procedures

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "What's your process for visitors?" A: "Visitors sign in at the front desk. If they need to go to a secure area, an employee escorts them. We log the visitor, the date, and the escort." [Pull up sign-in log]

Q: “Can you show me a recent example?" A: “[Date], a vendor came to work on the servers. [Employee name] escorted them. Here’s the sign-in log.”

Q: “What if a visitor wants to roam unsupervised?" A: “They can’t. If they’re in a secure area, someone is with them.”

Q: “How long do you keep visitor logs?" A: “[Period]. They’re stored [location].”

Common failures

No visitor policy. Visitors arrive and go wherever they want. No sign-in, no escort, no control. Create a simple policy: sign-in required, escorts in secure areas.

No documentation. You try to escort, but there's no sign-in log or record. Assessors can't verify it happened. Keep a visitor log (can be a spreadsheet or notebook).

Inconsistent enforcement. Some visitors are escorted, others aren't. Regular contractors don't get escorted. Apply the rule consistently. Anyone in a secure area needs an escort.

You're good here. You have a visitor policy. Visitors sign in. They're escorted in secure areas. You have a log showing recent visitors and their escorts. Assessors confirm the policy is followed and move on.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Practical visitor process

Visitor arrives at front desk.
Receptionist or designated person asks the purpose and duration.
If they’re going to a secure area (server room, offices with CUI), a log entry is made: name, company, date, time, area, escort.
Authorized employee meets the visitor and escorts them.
After the visit, the escort signs off or confirms in the log: time departed, any issues.

For regular contractors, the process is the same but might be faster if they’re already known.

For a small office, a spiral notebook is fine. For larger offices, a spreadsheet or simple visitor management system works.

If you have home-based or small office workers

If CUI is handled at home or small offices, you don't need formal visitor processes, but if someone visits and needs access to areas with CUI systems (home office, meeting room), you should still document and control it. Keep a simple log if visitors are rare.

If you use an MSP/MSSP

Physical security is almost entirely your responsibility. Your MSP has no role here unless they manage your physical facilities or have staff on-site. Even then, visitor escorting and facility access control stay with you. Your MSP might manage your network or IT systems, but your building access, visitor processes, and secure area control are all you.

If you use an MSP that provides on-site services or manages your facilities, they should follow your visitor escort policies. Require them to sign in as visitors and follow your access control procedures. Their staff should be escorted by your personnel when in areas with CUI systems.

Apply visitor policies to MSP staff

If MSP staff visit your facilities or work on-site, they must follow the same visitor escort and access control procedures as external visitors. Document when MSP personnel are in your facility and who escorted them. This maintains consistent control and shows the assessor that your policy applies universally.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← PE.L2-3.10.4: Physical Access Logs All Practices PE.L2-3.10.2: Monitor Physical Facility →