Physical Access Logging (NIST 800-171 3.10.4)
Control 3.10.4 requires you to maintain comprehensive audit logs of all physical access to your facilities and systems. For SMBs handling controlled unclassified information (CUI), this means documenting who enters secure areas, when they enter, and what they access. Without proper logging, you lose visibility into potential security breaches and cannot demonstrate compliance during audits.
What this means
Physical access logging creates a complete record of all entries and exits to restricted areas where CUI or critical systems are stored. This includes employee access, visitor entry, and contractor movements. The logs serve as detective controls—they help you identify unauthorized access attempts, investigate security incidents, and prove to auditors that you're monitoring your physical perimeter. Effective logging combines electronic systems (badge readers, cameras) with manual logs for areas without automation.
How to comply
- 1.Install or verify physical access control systems (badge readers, keypads, biometric systems) at all entry points to secure areas
- 2.Configure systems to automatically log timestamp, user ID, access point, and entry/exit status for every access event
- 3.Implement supplementary manual logs for areas without electronic controls to capture visitor and contractor access
- 4.Retain access logs for a minimum of one year; align retention with your data classification and incident response timelines
- 5.Review logs regularly—at minimum quarterly—for anomalies like after-hours access or repeated failed attempts
- 6.Cross-reference access logs with employee rosters to identify terminated staff still using credentials
- 7.Document your logging procedures in physical security policies and train staff on access control requirements
- 8.Ensure log data is protected from modification or deletion; use write-once storage or restricted-access audit systems
Evidence auditors look for
- Physical access control system reports showing timestamp, user ID, and access point for all entries
- Badge reader logs covering a 30+ day period with entry and exit timestamps
- Visitor sign-in logs with date, time, visitor name, host employee, and signature
- Contractor access records with pre-approval documentation and logged entry/exit times
- Security camera logs correlated with badge access logs to verify authenticity
- Monthly access log review summaries with documented findings and corrective actions
- Incident investigation reports citing specific access log entries as evidence
- System configuration documentation showing audit logging enabled and set to capture required fields
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates access log aggregation and anomaly detection—pulling events from your badge systems, correlating them with your employee database, and flagging suspicious patterns for investigation, so you can satisfy 3.10.4 with real-time visibility instead of manual log reviews.
See how GRCWatch handles this control automatically
Start free trial