cmmc-pe-3 Medium priority Physical Protection / Physical Access

Maintain audit logs of physical access to secured areas

Organizations must maintain records of who physically accessed areas containing FCI systems, and when. Physical access logs serve two purposes: deterrence, because people behave differently when they know access is recorded, and investigation, because logs allow you to determine who was present when a physical security incident occurred. Logs should be retained long enough to support incident investigations.

3h estimated effort

physical-security audit-logging facilities

Implementation steps

1

Implement electronic access logging

Use an electronic access control system that automatically logs every badge swipe or PIN entry at secured doors, capturing the cardholder, location, timestamp, and whether access was granted or denied. Electronic logs are preferable to manual logs because they are tamper-resistant and always collected.

lenel genetec hid brivo
2

Supplement with manual logs where electronic systems are not available

For areas without electronic access control, maintain a physical sign-in log requiring visitors and employees to record their name, purpose, and time in and out. Designate someone responsible for maintaining the log and ensuring it is complete.

envoy
3

Define log retention and review procedures

Retain physical access logs for at least 90 days, or longer if your contracts require it. Establish a process to periodically review logs for anomalies such as access outside business hours, repeated failed access attempts, or access by individuals whose employment has ended.

lenel genetec splunk