CMMC Level 2 Practice 3.10.4: Maintain audit logs of physical access

Physical access logging is one of the fastest ways for a CMMC assessment to go sideways because teams treat it as a facilities function instead of a CUI protection control. CMMC Level 2 Practice 3.10.4 maps directly to NIST SP 800-171 Rev. 2 requirement 3.10.4 and expects that you maintain audit logs of physical access for spaces that matter to CUI. ¹

For most contractors, the practical question is not “do we have a badge system?” It is: can you produce records that let an assessor trace physical entry activity for CUI processing and storage areas over the period you claim to retain logs, including visitor access, off-hours access, and exceptions? If the answer depends on an employee remembering who came in, you are exposed.

This page gives requirement-level implementation guidance you can hand to security, facilities, IT, and your MSSP. It focuses on scoping decisions, minimum log content, retention and integrity, operational reviews, and the evidence pack you should maintain for assessment readiness under the CMMC program. ²

Requirement: cmmc level 2 practice 3.10.4: maintain audit logs of physical access requirement

Objective: Maintain physical access audit logs that support accountability and incident investigation for facilities and areas where CUI is processed, stored, or transmitted, consistent with CMMC Level 2 alignment to NIST SP 800-171 Rev. 2. ¹

This practice sits in the Physical Protection (PE) family. It is tightly coupled to your broader physical access controls (authorizations, escorting, visitor management, key/badge management) because logs are only meaningful if access events map to identities and controlled entry points. ³

Regulatory text

Framework mapping excerpt: “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.10.4 (Maintain audit logs of physical access).” ¹

Operator meaning: You must generate and retain records of physical access activity for in-scope areas, and be able to produce them for review. The intent is that you can reconstruct who entered controlled spaces, when, and through which mechanism (badge, key, visitor sign-in), and investigate anomalies. ³

Plain-English interpretation

Maintain an auditable trail of physical entry and exit (or at minimum entry) for any location that could expose CUI if accessed by an unauthorized person. “Maintain” includes:

• You collect logs consistently (not only during incidents).
• You keep them for a defined retention period.
• You protect them from loss or tampering.
• You can retrieve and interpret them during an assessment or investigation. ³

Who it applies to

Entities

• Defense contractors and subcontractors handling CUI under DoD contracting flows that require CMMC Level 2. ⁴

Operational context (what’s typically “in scope”)

Include physical locations that:

• Store CUI in any form (paper files, media, backup tapes).
• Host systems that process/transmit/store CUI (servers, network gear, workstations in a secure area).
• Provide uncontrolled access to CUI systems (e.g., open office where CUI endpoints are present without additional safeguards). ³

Common in-scope areas:

• Data center / server room
• Secure program area / SCIF-adjacent controlled office (if applicable)
• Records room / file storage
• Lab/production floor where CUI drawings or test data are present
• Shipping/receiving cage if CUI-bearing media is handled

What you actually need to do (step-by-step)

Step 1: Define your physical access logging scope

1. List facilities and areas where CUI is processed, stored, or transmitted.
2. Assign each area an owner (Facilities, Security, IT, Program).
3. Identify the entry points you will log (doors, gates, cages).
4. Document the scope in your SSP/physical security standard operating procedure so the assessor sees a clear boundary. ¹

Practical tip: If you use CUI enclaves, align the “in-scope areas” to the enclave boundary. Mismatched boundaries create evidence gaps during sampling.

Step 2: Choose log sources that produce identity-linked events

You generally need one or more of:

• Badge access control system events (preferred for employees/contractors)
• Visitor management logs (sign-in/out, escort, destination)
• Key control logs (issued/returned keys, key cabinet access)
• Security desk logs for exceptions (lost badge, door forced open, propped door)
• CCTV as supporting evidence (not a replacement for identity logs unless your process ties footage to named individuals reliably) ³

Minimum log fields to capture (make this your internal requirement):

• Person identity (name and unique identifier or badge ID mapped to a person)
• Date/time stamp
• Location (door/area)
• Event type (granted/denied/forced/held open)
• Method (badge, key, visitor pass)
• For visitors: host, escort requirement, organization, purpose, and area visited

Step 3: Set retention, integrity, and access controls for the logs

Define and document:

• Where logs are stored (ACS platform, SIEM, secure file store, ticketing system attachments)
• Who can access/alter logs (least privilege; separate duties where possible)
• Backup/availability approach for the log repository
• A retention period that is consistent across sources and supports investigations and assessments (you set the period; be prepared to prove you follow it). ³

Exam hangup: Assessors often ask for log records from a past time window. If you only keep rolling short-term exports or overwrite, you may not be able to produce what you claim you maintain.

Step 4: Operationalize a recurring review process

Audit logs are not only for storage; they are operational security data.

1. Define review triggers: after-hours access, denied access spikes, forced-door events, access to sensitive rooms by non-program staff.
2. Assign review responsibility (Security or Facilities with Security oversight).
3. Create a simple review record: what period was reviewed, what was checked, anomalies found, and disposition/tickets.
4. Track exceptions: badge shared, tailgating report, visitor not signed out, door hardware failures. ³

Step 5: Make it assessable (evidence packaging)

Prepare an “assessor path”:

• A diagram/list of in-scope areas and controlled entry points.
• A written procedure describing how logs are generated, retained, and reviewed.
• A short walkthrough showing how to retrieve logs for a named door and a named individual over a defined date range.
• Sample exports and review records. ⁵

Where Daydream fits naturally: Daydream can track control ownership, map 3.10.4 to the exact operating procedure, and run recurring evidence capture tasks so you always have fresh exports, screenshots of retention settings, and review attestations ready for assessment. ⁵

Required evidence and artifacts to retain

Maintain a tight evidence pack that matches how CMMC assessments work (interview, examine, test). ⁶

Policies/standards

• Physical security / facility access standard with logging requirements
• Visitor management procedure (sign-in/out, escort rules, badge return)
• Log retention standard covering physical access logs ³

System configurations

• Access control system (ACS) configuration showing event logging enabled
• Screenshots or exports showing retention settings and storage location
• Role-based access control list for who can access ACS logs ³

Operational records (samples)

• Badge access logs for in-scope doors (granted and denied events)
• Visitor logs for in-scope areas
• Exception records: door forced open/held open incidents, lost badge events, temporary access grants
• Review records: periodic review checklist, analyst notes, tickets/closures ³

Traceability

• Mapping from badge ID to identity (HR feed or access provisioning records)
• Access provisioning/deprovisioning tickets for physical access to in-scope areas ³

Common exam/audit questions and hangups

Assessors tend to test whether your process works under sampling pressure. Expect questions like:

• “Show me the list of areas where CUI is stored and which doors control entry.” ⁶
• “Pull the access log for this door for a prior period and explain each field.” ³
• “How do you correlate a badge ID to a person, and how do you handle contractors?” ³
• “How do you log visitors, and can you show escort evidence for a visitor on a given date?” ³
• “What happens if the badge system goes down or a door is left propped?” ³

Typical hangups:

• Logs exist, but are not retained long enough to satisfy the organization’s own stated policy.
• Visitor access is managed on paper, but records are incomplete or not retrievable.
• The “secure area” has multiple uncontrolled entry points (side doors, loading bay) with no logs. ³

Frequent implementation mistakes (and how to avoid them)

1. No clear scope boundary.
   Fix: Maintain an authoritative list of in-scope rooms/areas and entry points, tied to your CUI data flow and enclave boundary. ³

2. Relying on CCTV as the primary log.
   Fix: Use CCTV as supporting evidence; make badge/visitor logs the system of record for identity. ³

3. Badge sharing and generic badges.
   Fix: Prohibit shared badges in policy, issue named credentials, and treat shared badge events as incidents with documented response. ³

4. Visitor process isn’t tied to controlled areas.
   Fix: Require destination and host on the visitor record; require sign-out and badge return; enforce escort rules for in-scope spaces. ³

5. Logs are stored, but nobody reviews them.
   Fix: Stand up a recurring review cadence with documented results and ticketed follow-up for anomalies. ³

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog for this specific practice, so this guidance focuses on assessment and contractual risk under the CMMC program framework. ⁴

Operational risk if you fail 3.10.4:

• You may be unable to prove who accessed CUI areas during an incident, which slows containment and root-cause analysis.
• You increase the chance of an assessment finding due to missing “examine” evidence even if doors are physically secured.
• You create downstream gaps for incident response and insider threat investigations because physical events cannot be correlated with system events. ³

Practical execution plan (30/60/90)

You asked for speed. Use this phased plan as an operator checklist, not a project fantasy.

First 30 days (stabilize and scope)

• Confirm CUI locations and define in-scope areas and entry points.
• Inventory current log sources (badge system, visitor process, key control, security desk).
• Document a minimum log field standard and confirm your systems can export those fields.
• Create a single evidence folder structure and name an owner for monthly evidence capture. ¹

By 60 days (make it repeatable)

• Implement or fix visitor logging so it is complete and retrievable for in-scope areas.
• Lock down access to logs (who can view/export; who can administer).
• Create a recurring log review checklist and start recording review outcomes.
• Run an internal “assessor drill”: pick a door, a person, and a historical time window; retrieve logs and show correlation to identity. ⁵

By 90 days (make it assessable)

• Demonstrate end-to-end traceability: access provisioning ticket → badge activation → door events → review record → exception handling.
• Confirm retention settings match written policy and are consistently applied across log sources.
• Package an assessment-ready evidence set with samples and written explanations that non-facilities assessors can follow. ⁵

Frequently Asked Questions

Do we have to log every door in the building?

Log doors that control access to areas where CUI is processed, stored, or transmitted, plus any alternate entry points that bypass the controlled boundary. Document the scope so an assessor can see why some doors are out of scope. ³

Are paper visitor sign-in sheets acceptable?

They can be, if they are complete, protected from tampering, retained per your policy, and quickly retrievable for the time window an assessor tests. Many teams fail on retrievability and completeness, not on the medium. ³

Does CCTV footage count as an audit log for 3.10.4?

Treat CCTV as supporting evidence unless your process reliably ties footage to named individuals and you can retrieve it on demand. Badge and visitor logs are typically the cleanest identity-linked records. ³

What about shared spaces like a leased office suite or coworking environment?

If CUI is present, you still need controlled access and auditable entry records for the CUI boundary. If you cannot control or log access to the relevant areas, reassess where CUI work occurs and how the enclave boundary is enforced. ³

Who should own this control: Facilities or Security?

Facilities often operates the systems, but Security/Compliance should own the control outcome, the written procedure, and assessment evidence. Split the RACI so evidence capture and review do not depend on informal favors. ⁶

What evidence will an assessor ask for first?

Expect requests for the list of in-scope areas/doors, sample access logs for those doors, proof of retention settings, and records that show logs are reviewed and exceptions are handled. Prepare those artifacts as a standard evidence pack. ⁵

Footnotes

1. NIST SP 800-171 Rev. 2; DoD CMMC Program Guidance

2. 32 CFR Part 170; DoD CMMC Program Guidance; NIST SP 800-171 Rev. 2

3. NIST SP 800-171 Rev. 2

4. 32 CFR Part 170; DoD CMMC Program Guidance

5. DoD CMMC Program Guidance; NIST SP 800-171 Rev. 2

6. DoD CMMC Program Guidance