cmmc-pe-2 Medium priority Physical Protection / Physical Access

Escort visitors and monitor visitor activity in secured areas

Visitors including contractors, vendors, auditors, and guests should not be left unescorted in areas where FCI systems are located. An unescorted visitor can observe screens, copy data, photograph equipment, or install hardware implants without anyone noticing. Escort requirements ensure there is always an authorized employee present who can supervise and take responsibility for visitor activity.

3h estimated effort

physical-security facilities visitor-management

Implementation steps

1

Define visitor policies for secured areas

Write a policy specifying that visitors must be escorted at all times in areas containing FCI systems. Define who qualifies as a visitor (including vendors, contractors, and temporary staff not yet badged), which areas require escort, and who is authorized to serve as an escort.

confluence
2

Implement a visitor sign-in process

Require all visitors to sign in with their name, organization, purpose of visit, the employee they are visiting, and time of arrival and departure. Issue visitor badges that are visually distinct from employee badges and must be worn visibly. Collect visitor badges when visitors exit.

envoy proxyclick excel
3

Train employees on escort responsibilities

Train all employees to understand they are responsible for the visitors they escort: they must keep the visitor in sight, prevent the visitor from accessing areas beyond the purpose of the visit, and challenge any unescorted visitor they encounter. Brief employees on what to do if they see a visitor without a badge or escort.

knowbe4