What does PE.L2-3.10.4 require for CMMC Level 2?

You must maintain audit logs showing who accessed physical locations with CUI systems. This is typically done via badge systems, key logs, or manual entry logs.

What evidence do I need for PE.L2-3.10.4?

Access control system logs (badging system), manual sign-in logs, security camera recordings (if available), or badge entry records with timestamps.

What's the most common failure for PE.L2-3.10.4?

No physical access logs at all. You don't track who enters the server room. Or if you do track it, logs aren't retained or reviewed. Assessors need evidence of access tracking.

PE.L2-3.10.4

PE.L2-3.10.4: Physical Access Logs

Maintain audit logs of physical access to secure areas where CUI systems are located.

Updated March 30, 2026

You need to know who accessed the server room and when. Physical access logs are the record. They create accountability. If something happens to CUI systems or data, you have a list of who was in that space. Logs can be electronic (badge system) or manual (sign-in sheet). This practice extends PE.L2-3.10.1 (limiting access) by creating a verifiable record and complements PE.L2-3.10.2 (monitoring facility).

Family Physical Protection

Practice PE.L2-3.10.4

Difficulty Hard

Key evidence Access logs, badge system records, sign-in sheets

What the assessor is actually evaluating

The assessor is checking: (1) How do you log physical access to secure areas? (2) Are logs being maintained? (3) Can you show sample logs from the past month? For many organizations, this is a badge system that records entries and exits. For small offices or those without sophisticated systems, a manual sign-in log is acceptable.

The key: logs must include who accessed the area and when. Name, timestamp, and area are the minimum.

What a realistic SSP definition looks like

PE.L2-3.10.4 Physical Access Logs

[Company] maintains audit logs of all physical access to secure areas containing CUI systems. Secure areas include: [server room, CUI offices, network closets, etc.].

Access is logged via:

Badge system: Electronic logs record badge swipes with timestamp
Manual log: [If applicable] Sign-in sheet in [location] with name, date, time, area, purpose

Logs are retained for [12 months]. Logs are reviewed [quarterly/monthly] to identify unauthorized or unusual access patterns. Access logs are protected from tampering (badge system access is restricted; manual logs are secured).

Unusual access (after-hours, unauthorized person, repeated failures) is investigated.

How to present your evidence

Gather these items:

Badge system software screenshots or reports showing access logs
Sample manual sign-in logs from the past month or quarter
Documentation of how long logs are retained
Evidence of log reviews (notes on unusual access, if any)
If using cameras, security camera system overview or retention schedule
List of secure areas and what they contain

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "How do you log physical access to the server room?" A: "We use a badge access system. It logs every entry and exit with a timestamp. We also have a manual sign-in sheet." [Pull up badge system reports]

Q: “Can you show me logs from the past month?" A: “Sure. Here are the badge logs from [month]. [Employee names] accessed the room on [dates]. Here’s the manual log as well.” [Show sample logs]

Q: “Who has access to the server room?" A: “[List of people]. Their badges are programmed to open the door.”

Q: “How long do you keep the logs?" A: “[Period]. We review them [frequency] to check for unusual access.”

Q: “What happens if someone tries to access after hours?" A: “The badge system logs it. We review after-hours access and investigate if it’s unauthorized.”

Common failures

No access logs. Server room door is unlocked or keys are shared. You don't track who goes in. Implement either a badge system or a manual sign-in log.

Logs not retained. You have a badge system, but logs aren't kept long. Or manual logs are discarded after a few days. Retain logs for at least 12 months.

Logs not reviewed. You have logs, but no one checks them. You can't identify unusual access. Review logs monthly or quarterly. Flag and investigate anything suspicious.

You're good here. You have a badge system logging all entries to the server room. Logs show name, time, and access. You review them quarterly and logs are kept for 12 months. Assessors can see recent examples and confirm the system is working.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Choosing an access logging method

Badge System (Electronic): Best for larger offices or those concerned about precise tracking. Requires a card reader and system (often integrated into door locks). Records entry/exit automatically. Cost is moderate to high, but automation is worth it.

Manual Sign-In Log: Simpler, works for small offices. A notebook or sheet in the secure area. Visitors and staff sign in/out with name, date, time, area, and purpose. Low cost, but depends on people remembering to sign in.

Hybrid: Badge system for main entry, manual log for high-risk areas like the server room.

For most CMMC assessments, either is acceptable. The key is that access is logged and logs are kept.

What to do with your logs

Once you have logs, review them. Look for:

Unusual times (2 AM access when no one should be there)
Unauthorized personnel
Failed access attempts
Extended or frequent access

Keep a simple review log: “Reviewed [month] access logs, found nothing unusual” or “Investigated [person] access on [date].”

If you use a badge system

Most badge systems have software that exports access logs. Export them monthly and keep copies. If the system is cloud-based, confirm logs are backed up and retained. Configure the system to alert on unusual access (after-hours, failed attempts, etc.). Review those alerts.

If you use an MSP/MSSP

Physical access logging is your responsibility. Your MSP has no role unless they manage your badge system or physical security infrastructure. Even then, you own the physical access control policy and the logs. If an MSP manages your badge system, they’re executing on your behalf. You remain accountable for defining what gets logged, retaining logs, and reviewing them.

If an MSP manages your badge system, establish a contract requirement that they export access logs to you monthly, retain logs for the period you specify, and provide you copies on request. You review the logs yourself. If the MSP provides access log analysis, that’s advisory only. You make the final decisions on access control based on your own review.

Retain direct access to physical access logs

If your MSP manages a badge system, require contractual language stating you receive monthly exports of access logs and have direct access to the system to run reports yourself. Don't rely solely on the MSP to manage or review the logs. You need visibility into who accessed your secure areas and when, independent of your MSP's review.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← PE.L2-3.10.5: Manage Physical Access All Practices PE.L2-3.10.3: Escort Visitors →