GRCWatch
Sign inStart free trial

CMMC Level 2 Visitor Control (PE.L2-3.10.3): Escort and Monitor Guidance

Visitor control is a critical physical security requirement under CMMC Level 2 that mandates organizations escort visitors and actively monitor their activity within controlled areas. Proper implementation protects your facility from unauthorized access, data exposure, and insider threats. This guide walks you through the specific requirements and practical steps to achieve compliance.

What this means

PE.L2-3.10.3 requires that your organization establish and enforce procedures to escort all visitors while they are present in controlled areas of your facility, and to monitor their activities during their visit. This control prevents unauthorized access to sensitive information, controlled unclassified information (CUI), and critical systems. Visitors must never have unescorted access to areas where CUI or sensitive data is stored, processed, or transmitted. The control applies to all visitors—contractors, vendors, auditors, and guests—regardless of their relationship to your organization.

How to comply

  1. 1.Develop a written visitor management policy that defines what constitutes a controlled area and specifies escorting requirements.
  2. 2.Designate specific employees as authorized escort personnel and train them on visitor supervision protocols.
  3. 3.Require all visitors to check in at a single point of entry and provide government-issued identification.
  4. 4.Issue temporary badges or passes that are collected upon visitor departure.
  5. 5.Maintain a visitor log that records name, organization, purpose of visit, date, time in, time out, and escort name.
  6. 6.Establish a badge system that visually distinguishes visitors from employees.
  7. 7.Prohibit unescorted access to controlled areas; assign escorts to remain with visitors at all times.
  8. 8.Conduct periodic reviews of visitor logs to identify patterns and assess compliance.
  9. 9.Train employees on visitor handling procedures and the importance of maintaining physical security.
  10. 10.Define consequences for violations and enforce them consistently.

Evidence auditors look for

  • Documented visitor management policy and procedures
  • Visitor log entries with complete information (name, organization, purpose, dates, times, escort)
  • Visitor badge or pass system documentation
  • Training records showing employees trained on visitor escort procedures
  • Access control records showing visitor badge deactivation upon departure
  • Security incident reports documenting visitor-related security investigations or issues
  • Photos or descriptions of visitor check-in area and badge system
  • Policy documentation defining controlled areas within the facility

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch's visitor management module automates visitor check-in, badge generation, escort assignment, and log retention, eliminating manual tracking and ensuring every visitor interaction is documented for audit readiness.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PE.L1-3.10.1 — Physical Security PerimeterPE.L2-3.10.2 — Physical EntryPE.L2-3.10.4 — Facility AccessAC.L2-3.1.1 — User Access ControlAU.L2-3.3.1 — Audit and Accountability