CMMC Practice PE.L1-3.10.4

Maintain audit logs of physical access.

Bold Coast Security Guidance

There are several strategies available for recording access to your facility: a physical log, a log generated by key cards as employees enter, or a biometric device utilized for controlling access; anything which creates an audit trail. A key lock or mechanical "punch" lock will not suffice. The organization must also consider internal areas, such as your data center. Limiting access to this room is also essential, as is recording entry. You may need to add a seperate physical access log inside your data centers to record entry by guests or vendors who were escorted into the area using an employee badge or access codes. This allows the organization to have a forensic trail of who accessed sensitive areas. A simple sign-in sheet on a clipboard will suffice.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.

References