GRCWatch
Sign inStart free trial

CMMC PE.L2-3.10.4: Physical Access Logs & Audit Trail Requirements

Physical access logs are your facility's security record, proving who accessed controlled areas and when. CMMC Level 2 requires you to maintain comprehensive audit logs that create an auditable trail of all physical entries and exits. Without proper logging infrastructure, you cannot demonstrate access control compliance to assessors.

What this means

This control requires your organization to maintain detailed audit logs documenting all physical access to facilities and sensitive areas. These logs must record entry and exit events, identify the individuals accessing the space, capture timestamps, and remain available for review and investigation. The logs serve as evidence that your physical access controls are functioning and that unauthorized access attempts can be detected.

How to comply

  1. 1.Install access control systems (badge readers, biometric scanners, or manual sign-in logs) at all entry points to secure areas
  2. 2.Configure systems to automatically capture and timestamp each access event including user identity, access point, date, and time
  3. 3.Establish a centralized log repository or database where all access events are stored and retained for the required period
  4. 4.Define retention policies requiring logs be maintained for a minimum of 12 months (or per your organization's policy)
  5. 5.Restrict access to audit logs themselves—ensure only authorized personnel can view or modify access records
  6. 6.Schedule regular reviews of access logs to identify anomalies, unauthorized access attempts, or policy violations
  7. 7.Document your physical access logging procedures in your security plan and communicate them to all staff

Evidence auditors look for

  • Access control system configuration documentation showing logging enabled for all entry points
  • Sample physical access audit logs showing timestamps, user identifiers, and access locations
  • Log retention policy document specifying minimum storage periods and backup procedures
  • Monthly or quarterly access log review reports with documented investigation of exceptions
  • Security badges or access cards issued to employees with corresponding badge reader logs
  • Manual sign-in/sign-out sheets for areas without electronic access control, properly maintained and archived
  • Incident reports referencing access logs used to investigate unauthorized access attempts

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch centralizes your physical access log collection and automatically generates timestamped audit reports, eliminating manual log reviews and reducing evidence-gathering time during CMMC assessments.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PE.L2-3.10.1 - Visitor Access ControlPE.L2-3.10.2 - Physical Area IdentificationPE.L2-3.10.3 - Physical Access RestrictionsAC.L2-3.1.1 - Access Control PolicyAU.L2-3.3.1 - Audit Logging