CMMC Level 2 Practice 3.10.3: Escort visitors and monitor visitor activity

CMMC Level 2 Practice 3.10.3 requires you to control physical visitor access by escorting visitors and monitoring their activity in areas where CUI is processed, stored, or transmitted. To operationalize it fast, define “visitor” and “CUI areas,” implement an escort-and-badge workflow with sign-in/out logs, and retain repeatable evidence that the process runs consistently. ¹

Key takeaways:

• Define and scope “visitor” and “CUI areas” so the requirement applies consistently across offices, labs, and shared spaces. ²
• Implement a standard visitor process: identity check, sign-in/out, badge, escort assignment, and monitoring rules for movement and device use. ²
• Keep assessment-ready evidence: visitor logs, escort training/acknowledgments, physical access maps, and periodic reviews that prove the control operates. ³

Physical access controls still fail in predictable ways: a third party walks through a controlled area unescorted, a conference room used for CUI work is treated as “public,” or a sign-in sheet exists but nobody checks it. CMMC Level 2 Practice 3.10.3 focuses on that gap by requiring escorting and monitoring of visitors. ²

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat this as an operational workflow with clear scope, roles, and evidence, not as a “front desk policy.” You need a written rule that matches how people actually enter your spaces (reception, side doors, loading docks, shared coworking floors, after-hours visits), plus a way to prove execution during a CMMC assessment. ³

This page gives requirement-level implementation guidance you can hand to Facilities, Security, IT, and office leadership. It also flags audit hangups assessors commonly probe: ambiguous boundaries for controlled areas, inconsistent badging, exceptions for “regulars,” and missing proof that monitoring occurs beyond a clipboard. ¹

Title: cmmc level 2 practice 3.10.3: escort visitors and monitor visitor activity requirement

Regulatory text

Requirement (mapped text): “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.10.3 (Escort visitors and monitor visitor activity).” ⁴

Operator interpretation (what you must do)

You must ensure that any visitor (any non-authorized individual) is:

1. Escorted in areas where your organization processes, stores, or transmits CUI, and
2. Monitored while present so they cannot gain unauthorized physical access to CUI, systems, or sensitive workspaces. ²

“Escort” and “monitor” need to be real operational controls, not aspirational statements. During assessment, you will be expected to show the defined process and evidence that it is followed consistently. ³

Plain-English interpretation of the requirement

• If someone is not authorized for the area, they do not roam freely.
• You assign responsibility to a named escort (employee or specifically authorized staff member).
• You control and observe where the visitor goes, what they can see, and what they can touch, especially around CUI work areas, printers, whiteboards, engineering benches, and endpoints. ²

Monitoring does not require constant eye contact in every scenario, but it does require a defensible method to prevent unsupervised access and to detect/stop unauthorized activity in controlled spaces. ²

Who it applies to (entity and operational context)

Applies to:

• Defense contractors and subcontractors pursuing CMMC Level 2 certification. ⁵
• Organizations handling CUI in any physical environment: corporate offices, engineering labs, manufacturing floors with networked equipment, test ranges, and mixed-use facilities where visitors may enter. ²

Operationally, this practice touches multiple functions:

• Facilities / Physical Security: doors, badges, visitor management, signage, camera placement where appropriate.
• IT/Security: mapping controlled areas to CUI systems and endpoints.
• HR / Operations: onboarding, escort training, disciplinary backing for policy.
• Program teams: conference rooms, project spaces, and third-party meetings. ²

What you actually need to do (step-by-step)

Step 1: Define scope and boundaries (no ambiguity)

1. Identify “CUI areas.” Make a list of rooms and zones where CUI is processed, stored, or transmitted (including where CUI is discussed on screens/whiteboards).
2. Classify areas. Example: Public (lobby), Controlled (badge access), Restricted (additional controls for CUI work).
3. Document the boundary. Maintain a simple floor plan or written boundary description that facilities and teams can follow. ²

Practical tip: If your CUI environment is “everywhere,” the escort requirement becomes operationally hard. Most teams narrow it by defining controlled zones and enforcing clean desk/screen rules outside them. Align to your CUI handling design. ²

Step 2: Define “visitor” and “authorized unescorted” populations

Create a short decision matrix:

• Visitor: anyone without authorized unescorted access to the specific area (customers, auditors, delivery personnel, cleaners, IT break/fix, prospective employees, consultants).
• Authorized unescorted: employees or third-party personnel who have been granted physical access based on role, need, and approval. ²

Avoid informal categories like “they’re here all the time.” If they are a regular third party, decide: treat them as a visitor every time, or formally authorize unescorted access with approvals and training. ²

Step 3: Implement the visitor management workflow

Minimum operational workflow:

1. Arrival & identity check: visitor presents identification per site procedure.
2. Sign-in: capture name, organization, host, purpose, areas approved, arrival time.
3. Badge issuance: visitor badge visually distinct from employee badges.
4. Rules briefing: photography restrictions, no plugging devices into systems, stay with escort, where they may go.
5. Escort assignment: named host/escort accountable for the visitor.
6. Monitoring during visit: escort maintains control of movement; restrict access to endpoints, printers, and unattended documents.
7. Sign-out & badge return: record departure time; recover badge. ²

If you use an electronic visitor system, configure it to capture the same fields as your paper log and to support export for evidence. ³

Step 4: Handle high-risk scenarios with written rules

Document specific handling for:

• After-hours visits: who can approve, how escorting works when reception is closed.
• Deliveries and maintenance: keep them in non-CUI routes or require escort into controlled space.
• Shared conference rooms: if a room can display CUI on screens, treat it as controlled during meetings; clear boards and secure printouts after. ²

Step 5: Train escorts and make it enforceable

Create short role-based training or instructions for escorts:

• What “monitoring” means on your site
• Where visitors may not go
• What to do if a visitor deviates
• How to report incidents and log exceptions ²

Step 6: Build recurring evidence capture (assessment readiness)

Turn this into a control that produces evidence without heroics:

• Periodic review of visitor logs for completeness and anomalies.
• Spot checks (security or facilities) that badges are worn and escorts are present in controlled areas.
• Documented exceptions with approvals and corrective actions. ³

Daydream fit: Many teams track the control in Daydream as a mapped requirement with an evidence checklist and recurring tasks, so visitor logs and reviews are collected continuously instead of scrambled for right before assessment. ³

Required evidence and artifacts to retain

Keep artifacts that prove both design and operation:

Design evidence (what you intended to do)

• Physical access/visitor policy section covering escorting and monitoring.
• Definition of controlled/restricted areas (floor plan, zone list, signage standards).
• Visitor procedure (SOP) including escort responsibilities and prohibited activities.
• Role/training materials for escorts and reception/security. ²

Operating evidence (proof you did it)

• Visitor logs (paper scans or exports) showing sign-in/out, host, badge issued, areas visited.
• Badge issuance records (if separate).
• Exception records (maintenance, emergencies, after-hours) with approvals.
• Periodic log review records and remediation notes for incomplete entries. ⁶

Evidence quality rule: Assessors typically want to see repeatability across time and across sites in scope, not a single “perfect day” log. ³

Common exam/audit questions and hangups

Expect questions like:

• “Show me the boundary of your CUI areas. How does a visitor know they entered a controlled area?” ²
• “Who is authorized to escort, and how are they trained?” ²
• “What prevents a visitor from walking to a printer, whiteboard, or unattended workstation?” ²
• “How do you handle ‘regular’ third parties: cleaning crews, building management, MSP technicians?” ²
• “Provide visitor logs and show review/oversight.” ³

Hangup that fails teams: a written policy plus incomplete logs. If logs have missing escorts, missing sign-out times, or inconsistent badge control, the assessor will treat the process as not operating. ³

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	Fix
“Visitor” is undefined	Staff invent exceptions	Define visitor and authorized unescorted access in writing. 2
Controlled areas not clearly marked	Visitors and staff can’t follow the rule	Add signage, badge readers, and documented area lists. 2
Escort is nominal	Visitor still wanders	Require named escort in the log and enforce responsibility. 2
Monitoring depends on one receptionist	Breaks after hours or at side doors	Cover all entrances, after-hours procedures, and deliveries. 2
Evidence is ad hoc	Scramble during assessment	Set a recurring evidence collection and log review cadence tracked in your GRC system. 3

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog for this specific practice, so this page does not cite cases. ³

Risk implications are still operationally real:

• A visitor with unescorted access can photograph screens/whiteboards, remove paper, or connect devices in ways that create CUI exposure and incident response obligations. ²
• In a CMMC assessment, weak evidence for physical access practices can create certification risk because assessors need objective evidence that practices are implemented. ⁷

Practical execution plan (30/60/90-day)

Your instruction requires avoiding unsupported numeric timelines, but you also asked for a “30/60/90-day plan.” Below is a phased plan using Immediate/Near-term/Ongoing so you can execute without claiming source-backed durations.

Immediate (stabilize and stop gaps)

• Define CUI areas and publish a controlled-area list to Facilities and program leads. ²
• Standardize sign-in/out fields and require a named host/escort for every visitor entry. ²
• Issue distinct visitor badges and require visible wear in controlled areas. ²
• Write an exceptions process for deliveries, maintenance, and after-hours visits. ²

Near-term (make it consistent and auditable)

• Train escorts and reception/security staff; collect acknowledgments. ²
• Add periodic log reviews; document follow-up on missing data and recurring issues. ³
• Validate physical routes: confirm visitors can’t enter controlled areas from side doors without being captured by the workflow. ²

Ongoing (operate like a control, not a project)

• Run spot checks for badge/escort compliance in controlled areas; log findings and corrective actions. ³
• Review “regular” third parties quarterly as a governance practice (guidance recommendation, not a sourced requirement) and decide whether they remain visitors or need formal unescorted authorization. ²
• Use Daydream to map 3.10.3 to your SOPs and to schedule evidence capture so logs, reviews, and training records are packaged for assessment. ³

Frequently Asked Questions

Do employees need to be escorted in CUI areas?

If an employee is authorized for unescorted access to that area, escorting is not the point. The control targets visitors and other non-authorized individuals entering controlled spaces. ²

Can we treat third-party technicians as “not visitors” because they have badges?

Only if you formally authorize their unescorted physical access and can defend the approval basis. If that authorization doesn’t exist, treat them as visitors and escort/monitor them. ²

Does a camera system count as “monitoring” visitor activity?

Cameras can support monitoring, but you still need an operational method that prevents unsupervised access while the visitor is present. Most teams pair cameras with escorting and controlled-area boundaries. ²

What should the visitor log capture for CMMC assessment purposes?

Capture identity, organization, purpose, host/escort, areas approved, sign-in time, sign-out time, and badge identifier if you track it. Keep logs and evidence of periodic review. ¹

How do we handle visits in shared office space or coworking locations?

Define which parts of the space are in scope as CUI areas and ensure visitor controls apply at those boundaries. If you cannot enforce boundaries, reconsider whether the location can support CUI work. ²

What’s the fastest way to get “assessment-ready” on 3.10.3?

Tighten scope, standardize the visitor workflow, and start recurring evidence capture immediately so you can show consistent operation over time. Daydream can track the requirement mapping and prompt evidence collection. ³

Footnotes

1. NIST SP 800-171 Rev. 2; DoD CMMC Program Guidance

2. NIST SP 800-171 Rev. 2

3. DoD CMMC Program Guidance

4. NIST SP 800-171 Rev. 2; DoD CMMC Program Guidance; 32 CFR Part 170

5. 32 CFR Part 170; DoD CMMC Program Guidance

6. DoD CMMC Program Guidance; NIST SP 800-171 Rev. 2

7. DoD CMMC Program Guidance; 32 CFR Part 170