CMMC Practice PE.1.132
Escort visitors and monitor visitor activity.
Bold Coast Security Guidance
Imbedded in this control is the need to control the facility perimeter to limit access. Many facilities will employ an unlocked front door which allows entry into vestibule, then all doors from there in are locked. Otherwise you must lock the external door and force guests to call in or ring an entry bell.
Guests then must sign an entry log noting name, company, date and time of entry, and who they are here to see. Guests should also log their exit times.
Provide guests with a temporary badge clearly indicating they are visitors/guests which should be worn at all times. Badges could be simple stickers or pre-made badges. If you have a large number of visitors on each day, the organization should consider putting expiration dates on the badges. There are some temporary badges which will even change color after a day.
Finally, the guest must be escorted at all times.
You can measure the effectiveness of this control by reviewing the visitor logs for completeness. The organization may also conduct regular physical entry penetration tests. A third party contractors can be hired who are trained in social engineering techniques designed to attempt physical entry to the facility.
DRAFT NIST SP 800-171 R2
Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity.