What does PE.L2-3.10.3 require for CMMC Level 2?

You must escort visitors to areas with CUI systems. Visitors cannot walk around unattended. Someone authorized must be with them at all times to monitor their activity.

What evidence do I need for PE.L2-3.10.3?

Visitor policy document, sign-in logs or visitor records, photos of visitor badges if used, and documentation that escorts were assigned.

What's the most common failure for PE.L2-3.10.3?

Visitors roam freely, unescorted. Contractors work unsupervised in secure areas. Or you have no visitor policy at all. Implement a simple sign-in and escort process.

PE.L2-3.10.3

PE.L2-3.10.3: Escort Visitors

Escort visitors in secure areas and monitor their activity to prevent unauthorized access to CUI systems or facilities.

Updated March 30, 2026

A vendor comes to fix the printer. A contractor visits to upgrade equipment. Without escorting, they could walk into the server room or copy files. Escorting is simple: someone authorized is with them. You know where they are. You see what they do.

Family Physical Protection

Practice PE.L2-3.10.3

Difficulty Medium

Key evidence Visitor policy, sign-in logs, escort documentation

What the assessor is actually evaluating

The assessor is checking: (1) Do you have a visitor policy that requires escorts in secure areas? (2) Do you follow it? (3) Can you show recent examples of visitors being escorted? For small offices, this is straightforward. For larger ones, you might need a visitor badge system or sign-in log. What matters is that visitors don’t have unsupervised access to areas with CUI.

Focus on secure areas: server rooms, network closets, offices with CUI data, any space where CUI systems are located. This practice complements PE.L2-3.10.1 (limiting physical access) and PE.L2-3.10.2 (monitoring facility) to create layered physical protection.

What a realistic SSP definition looks like

PE.L2-3.10.3 Escort Visitors

All visitors to [Company] premises are required to sign in at the front desk or designated entry point. Visitors accessing secure areas (server room, CUI offices, etc.) are escorted by an authorized employee at all times.

The escort is responsible for:

Ensuring the visitor doesn’t access unauthorized areas
Monitoring the visitor’s activities
Ensuring the visitor doesn’t remove media or documents

Visitors are not permitted in secure areas without a signed access request and named escort. Visitor sign-in logs are maintained and reviewed. Escorts confirm in writing or via log that the visit was completed and the visitor departed.

How to present your evidence

Gather these items:

Visitor policy or procedure document
Recent visitor sign-in logs (past 6 months)
Examples of visitors escorted to secure areas with documented escorts
Visitor badge templates if used
Communication to staff about visitor escort procedures

Common failures

What gets flagged

No visitor policy. Visitors arrive and go wherever they want. No sign-in, no escort, no control. Create a simple policy: sign-in required, escorts in secure areas.

No documentation. You try to escort, but there's no sign-in log or record. Assessors can't verify it happened. Keep a visitor log (can be a spreadsheet or notebook).

Inconsistent enforcement. Some visitors are escorted, others aren't. Regular contractors don't get escorted. Apply the rule consistently. Anyone in a secure area needs an escort.

What makes assessors move on satisfied

You're good here. You have a visitor policy. Visitors sign in. They're escorted in secure areas. You have a log showing recent visitors and their escorts. Assessors confirm the policy is followed and move on.

If you use an MSP/MSSP

Physical security is almost entirely your responsibility. Your MSP has no role here unless they manage your physical facilities or have staff on-site. Even then, visitor escorting and facility access control stay with you. Your MSP might manage your network or IT systems, but your building access, visitor processes, and secure area control are all you.

If you use an MSP that provides on-site services or manages your facilities, they should follow your visitor escort policies. Require them to sign in as visitors and follow your access control procedures. Their staff should be escorted by your personnel when in areas with CUI systems.

Apply visitor policies to MSP staff

If MSP staff visit your facilities or work on-site, they must follow the same visitor escort and access control procedures as external visitors. Document when MSP personnel are in your facility and who escorted them. This maintains consistent control and shows the assessor that your policy applies universally.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks

Q: "What's your process for visitors?" A: "Visitors sign in at the front desk. If they need to go to a secure area, an employee escorts them. We log the visitor, the date, and the escort." [Pull up sign-in log]

Q: “Can you show me a recent example?" A: “[Date], a vendor came to work on the servers. [Employee name] escorted them. Here’s the sign-in log.”

Q: “What if a visitor wants to roam unsupervised?" A: “They can’t. If they’re in a secure area, someone is with them.”

Q: “How long do you keep visitor logs?" A: “[Period]. They’re stored [location].”

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← PE.L2-3.10.4: Physical Access Logs All Practices PE.L2-3.10.2: Monitor Physical Facility →