CMMC Level 2
Control 3.10.4
Maintain Physical Access Audit Logs
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Maintain audit logs of physical access.
What This Means in Plain English
Keep records of who enters and exits restricted areas containing CUI systems. These logs should include the person's identity, time of entry and exit, and the area accessed.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Electronic badge access system logging all entry/exit events with timestamps and user identity
- Security camera recordings retained for a minimum of 90 days
- Visitor logs maintained and archived for a minimum of one year
- Weekly review of physical access logs for anomalous patterns
- ComplianceArmor integrating physical access logs with security event monitoring
Assessment Guidance
Assessors will review physical access logs for completeness and accuracy, verify log retention periods, check that logs are reviewed regularly, and confirm that both electronic and manual access records are maintained.
Common Implementation Gaps
- No electronic badge access logging
- Physical access logs not retained for sufficient duration
- Logs not reviewed for anomalies
- Manual logs (sign-in sheets) incomplete or illegible
- No integration of physical access logs with security monitoring
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | PE-6 |
| HIPAA | 164.310(a)(2)(iii) - Access Control and Validation Procedures |
| PCI DSS | Req 9.2 - Identify and distinguish between onsite personnel and visitors |
Need Help Implementing 3.10.4?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment