Visitor escort and monitoring is a foundational physical security practice in CMMC Level 1, mapped to FAR 52.204-21. The PE.L1-B.1.IX requirement is straightforward: when non-employees enter areas where Federal Contract Information (FCI) is present or systems handling FCI are located, they must be escorted and their activity monitored. For a small business, this boils down to scoping where FCI resides, adopting a simple visitor policy, using a reliable check-in process with visible badges, and ensuring someone is accountable for eyes-on supervision throughout the visit.
What PE.L1-B.1.IX means and what assessors expect
Assessors want to see that you have defined which spaces are controlled for FCI, that you consistently log visitors, that escorts are assigned and understand their responsibility, and that you can demonstrate monitoring actually happens. Typical evidence includes a brief physical security or visitor policy naming the requirement, a floor plan or description showing controlled areas, recent visitor logs with check-in and check-out and escort names, badge procedures, staff training records, and spot-checks or CCTV review notes if cameras are used. The control does not require fancy systems; it requires consistency and proof.
Implement in five steps
1) Define controlled areas
Start by mapping where FCI could be seen, heard, or accessed, including offices with FCI-capable workstations, conference rooms where FCI is discussed, network closets, and server racks. Mark these as “Controlled Areas” on a simple floor plan and post discrete signs at entry points such as “Controlled Area – Visitor Escort Required.” If you share a building or have an open lobby, consider creating a physically distinct inner zone with a lockable interior door for FCI workstations. A 25-person machine shop, for example, placed all contract-related PCs behind a keypad door and positioned the reception seating so visitors cannot view screens from the lobby.
2) Policy, roles, and escort rules
Publish a one-page visitor policy stating that all visitors entering controlled areas must be signed in, issued a temporary badge, escorted at all times, and signed out upon exit. Define who qualifies as a visitor, including delivery drivers, clients, maintenance, landlords, and temps not yet onboarded. Assign the Receptionist or Office Manager to control check-in and designate the Host (employee being visited) as the primary Escort; if the host is unavailable, a trained backup must take over or the visit is delayed. Require line-of-sight supervision in controlled areas, prohibit visitors from being left alone with workstations or paperwork, and specify a practical ratio such as one escort for up to three visitors depending on layout.
3) Logging, badging, and retention
Use a bound logbook or a simple digital form to capture date, visitor name, organization, purpose, person visited, arrival time, departure time, escort name, areas accessed, and visitor badge number. Keep logs for at least 90 days; six to twelve months is better to support investigations and CMMC evidence needs. Issue clearly visible visitor badges with a distinct color, and use expiring “VOID” stickers if possible for same-day visits. Store badges and the log at the reception control point; for digital logs, store in a restricted folder (for example, SharePoint with limited access) and back it up along with other compliance artifacts.
4) Monitoring methods that fit small budgets
For Level 1, monitoring can be primarily procedural: escorts maintain line-of-sight, doors to controlled areas stay closed, and staff challenge unbadged individuals. Supplement with low-cost measures like door chimes on controlled area doors, privacy screens on monitors near visitor paths, and workstation lock policies that enforce auto-lock after 5 minutes. If you deploy cameras, focus them on entry points and hallways leading to controlled areas rather than on workstations; retain footage 30–90 days, time-sync cameras to your NTP source, restrict camera console access, and post a notice that video monitoring is in use as required by local law. Conduct periodic spot-checks by reviewing a random day’s log against camera entries or escort calendars to confirm monitoring occurred.
5) Special cases: deliveries, cleaners, and shared offices
Delivery drivers should remain in the lobby or designated delivery zone; if a driver must enter a controlled area, log them, badge them, and escort them directly to and from the destination without detours. After-hours cleaners or HVAC technicians must be either escorted by an employee or restricted to non-controlled areas; if your lease requires unescorted after-hours access, secure FCI by locking inner doors and cabinets and moving visible documents off desks before close of business. In coworking or multi-tenant spaces, create a controlled enclave inside your suite with a lockable interior door, keep visitor seating outside the enclave, prohibit visitors from using corporate Wi‑Fi by offering a segmented guest SSID, and transport paper FCI in lockable cases to and from conference rooms.
Train, test, and collect evidence
Train all employees annually and upon hire on the visitor policy, how to challenge unbadged individuals, and how to act as an escort. Run a quarterly tabletop or walk-through where a manager attempts to enter a controlled area without a badge to test staff reactions, then document results and corrective actions. Keep artifacts such as the current visitor policy, floor plan with controlled areas, three to six months of visitor logs, badge inventory records, photos of posted signs, training rosters, and spot-check results. These artifacts directly support a CMMC Level 1 assessment for PE.L1-B.1.IX.
Risks of not implementing
Without escort and monitoring, visitors can shoulder-surf screens, photograph documents, plug rogue devices into open network jacks, or wander into network closets, leading to exposure of FCI, system compromise, or service interruption. Beyond security harm, failure on this basic control can cause assessment findings, delays in contract awards, reputational damage with primes, and potential termination for default if noncompliance becomes systemic. The cost and effort to implement are low compared to the operational and contractual risks of a breach or audit failure.
Summary
Meeting PE.L1-B.1.IX is about disciplined simplicity: define controlled areas for FCI, put a clear visitor policy in place, use a reliable log and visible badges, ensure escorts maintain line-of-sight, and gather evidence that the process works. With small, inexpensive measures like interior door controls, signage, privacy screens, and basic training, a small business can demonstrate effective visitor escort and monitoring and confidently satisfy CMMC Level 1 expectations.
