CMMC Level 1 PE.L1-3.10.4: Physical Access Logs
Physical access logs are your security baseline under CMMC Level 1. This control requires you to document who enters your facilities and when, creating an audit trail that proves accountability and supports incident investigations. Without proper logging, you cannot demonstrate that your physical security controls are working.
What this means
This control requires maintaining detailed audit logs of all physical access to your facilities and systems. You must record entry and exit events, including the identity of individuals accessing restricted areas, timestamps, and the duration of access. These logs serve as proof that physical access is monitored and traceable, supporting your overall security posture and enabling investigation of security incidents or policy violations.
How to comply
- 1.Install and configure physical access control systems (badge readers, biometric scanners, or manual sign-in logs) at all entry points to restricted areas
- 2.Capture and record all access events automatically, including date, time, user identity, and access location
- 3.Store access logs in a centralized system with adequate retention (typically 6-12 months minimum)
- 4.Regularly review logs for anomalies, unauthorized access attempts, or policy violations
- 5.Ensure logs are protected from unauthorized modification or deletion
- 6.Test your logging system quarterly to verify all events are being captured and retained
Evidence auditors look for
- Badge access system reports showing entry/exit timestamps and cardholder identities
- Manual visitor logs with signatures, dates, times, and purpose of visit
- Biometric access logs from fingerprint or facial recognition systems
- Security camera footage correlated with access logs
- Periodic access log audit reports demonstrating review and monitoring
- Policy documentation requiring physical access logging and log retention procedures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates physical access log collection and analysis, consolidating badge system data, visitor logs, and facility records into a single audit dashboard so you can prove PE.L1-3.10.4 compliance without manual log reviews.
See how GRCWatch handles this control automatically
Start free trial