PE.L2-3.10.4

PE.L2-3.10.4: Physical Access Logs

Maintain audit logs of physical access to secure areas where CUI systems are located.

You need to know who accessed the server room and when. Physical access logs are the record. They create accountability. If something happens to CUI systems or data, you have a list of who was in that space. Logs can be electronic (badge system) or manual (sign-in sheet). This practice extends PE.L2-3.10.1 (limiting access) by creating a verifiable record and complements PE.L2-3.10.2 (monitoring facility).

Family Physical Protection
Practice PE.L2-3.10.4
Difficulty Hard
Key evidence Access logs, badge system records, sign-in sheets

What the assessor is actually evaluating

The assessor is checking: (1) How do you log physical access to secure areas? (2) Are logs being maintained? (3) Can you show sample logs from the past month? For many organizations, this is a badge system that records entries and exits. For small offices or those without sophisticated systems, a manual sign-in log is acceptable.

The key: logs must include who accessed the area and when. Name, timestamp, and area are the minimum.

What a realistic SSP definition looks like

PE.L2-3.10.4 Physical Access Logs

[Company] maintains audit logs of all physical access to secure areas containing CUI systems. Secure areas include: [server room, CUI offices, network closets, etc.].

Access is logged via:

  • Badge system: Electronic logs record badge swipes with timestamp
  • Manual log: [If applicable] Sign-in sheet in [location] with name, date, time, area, purpose

Logs are retained for [12 months]. Logs are reviewed [quarterly/monthly] to identify unauthorized or unusual access patterns. Access logs are protected from tampering (badge system access is restricted; manual logs are secured).

Unusual access (after-hours, unauthorized person, repeated failures) is investigated.

How to present your evidence

Gather these items:
  • Badge system software screenshots or reports showing access logs
  • Sample manual sign-in logs from the past month or quarter
  • Documentation of how long logs are retained
  • Evidence of log reviews (notes on unusual access, if any)
  • If using cameras, security camera system overview or retention schedule
  • List of secure areas and what they contain

Common failures

What gets flagged

No access logs. Server room door is unlocked or keys are shared. You don't track who goes in. Implement either a badge system or a manual sign-in log.

Logs not retained. You have a badge system, but logs aren't kept long. Or manual logs are discarded after a few days. Retain logs for at least 12 months.

Logs not reviewed. You have logs, but no one checks them. You can't identify unusual access. Review logs monthly or quarterly. Flag and investigate anything suspicious.

What makes assessors move on satisfied

You're good here. You have a badge system logging all entries to the server room. Logs show name, time, and access. You review them quarterly and logs are kept for 12 months. Assessors can see recent examples and confirm the system is working.

If you use an MSP/MSSP

Physical access logging is your responsibility. Your MSP has no role unless they manage your badge system or physical security infrastructure. Even then, you own the physical access control policy and the logs. If an MSP manages your badge system, they’re executing on your behalf. You remain accountable for defining what gets logged, retaining logs, and reviewing them.

If an MSP manages your badge system, establish a contract requirement that they export access logs to you monthly, retain logs for the period you specify, and provide you copies on request. You review the logs yourself. If the MSP provides access log analysis, that’s advisory only. You make the final decisions on access control based on your own review.

Retain direct access to physical access logs

If your MSP manages a badge system, require contractual language stating you receive monthly exports of access logs and have direct access to the system to run reports yourself. Don't rely solely on the MSP to manage or review the logs. You need visibility into who accessed your secure areas and when, independent of your MSP's review.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks

Q: "How do you log physical access to the server room?" A: "We use a badge access system. It logs every entry and exit with a timestamp. We also have a manual sign-in sheet." [Pull up badge system reports]

Q: “Can you show me logs from the past month?" A: “Sure. Here are the badge logs from [month]. [Employee names] accessed the room on [dates]. Here’s the manual log as well.” [Show sample logs]

Q: “Who has access to the server room?" A: “[List of people]. Their badges are programmed to open the door.”

Q: “How long do you keep the logs?" A: “[Period]. We review them [frequency] to check for unusual access.”

Q: “What happens if someone tries to access after hours?" A: “The badge system logs it. We review after-hours access and investigate if it’s unauthorized.”

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← PE.L2-3.10.5: Manage Physical Access All Practices PE.L2-3.10.3: Escort Visitors →