CMMC Practice Requirement:

Maintain audit logs of physical access.

CMMC Requirement Explanation:

Ensure that only authorized persons have accessed your facilities. You can detect suspicious activity by reviewing when someone has accessed your facilities. An example of suspicious access is an employee entering the office late at night.

Example CMMC Implementation:

Maintain a written or digital record of who has entered your company's facility (e.g. your office). Require visitors to sign in at a sign in sheet when entering and exiting your facilities. Record employee access by securing doors with smart card readers. This allows you to track when and where an employee has entered your facilities.


- Scenario 1:

Your company installed a smart card system at the entry to your facility. Now only employees with a key card can enter. When an employee enters with a key card the id associated with their card and the time they accessed the facility is recorded. This allows for access logs to be periodically reviewed.

- Scenario 2:

John receives a visitor to the office. His visitor signs in at reception and is given a visitors badge. When the visitor leaves John escorts him to reception and has him sign out. John also takes possession of the visitors badge.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance