CMMC Practice PE.1.133

Maintain audit logs of physical access.


CMMC Version 1.02, pg. 191

Bold Coast Security Guidance

There are several strategies available for recording access to your facility: a physical log, a log generated by key cards as employees enter, or a biometric device utilized for controlling access; anything which creates an audit trail. A key lock or mechanical "punch" lock will not suffice. The organization must also consider internal areas, such as your data center. Limiting access to this room is also essential, as is recording entry. You may need to add a seperate physical access log inside your data centers to record entry by guests or vendors who were escorted into the area using an employee badge or access codes. This allows the organization to have a forensic trail of who accessed sensitive areas. A simple sign-in sheet on a clipboard will suffice.

Discussion From Source

DRAFT NIST SP 800-171 R2 Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.