Meeting FAR 52.204-21 and CMMC 2.0 Level 1 PE.L1-B.1.IX requires establishing reliable physical access audit logs so you can show who entered spaces where Federal Contract Information (FCI) may be stored or accessed, when they entered, and whether any anomalous access occurred — and this post shows practical, small-business-friendly steps to create and maintain those logs.
What the requirement means in practice (Compliance Framework context)
Under the Compliance Framework practice, the objective is to implement a repeatable, auditable process for recording physical access events to locations that contain or could access FCI. That means logging badge swipes, manually recorded visitor sign-ins, door forced/open events, and linking video timestamps when available. FAR and CMMC Level 1 do not prescribe a single technology; they require evidence that access is limited to authorized personnel and that access activity can be reviewed. Your implementation must therefore produce tamper-evident records, retain them for a defensible period, and make them available for periodic review and incident investigations.
Practical implementation steps (small business roadmap)
Start by scoping: list all controlled entry points (exterior doors, server closets, office suites). For each door, choose a logging method: electronic badge readers (preferred), door contact sensors that report forced/open events, camera systems with timestamped recordings, and a signed visitor log for occasional guests. For a small business of 5–50 people you can implement a hybrid approach: use cloud-managed badge systems (e.g., Openpath, Kisi, or commercial offerings from Allegion/HID) to capture automated events, and maintain a paper or tablet-based visitor sign-in that captures name, company, time in/out, and host. Ensure each method produces a timestamped entry and a unique identifier for the person or device.
Technical details to make logs reliable and auditable
Design the logging pipeline with integrity in mind. Configure all controllers and cameras to use NTP and store timestamps in UTC/RFC 3339 format. Send electronic access events to a central log collector using syslog/TLS or the vendor's secure API. Ingest logs into a centralized store (simple options for small businesses: a dedicated syslog server, an Elastic stack, or cloud storage such as AWS S3). Configure log rotation and retention policies: a recommended baseline is 180–365 days for physical access logs, unless contract language requires otherwise. Protect logs by restricting access via role-based access control, enable immutable storage where possible (S3 Object Lock, write-once media, or vendor "audit-only" export), and compute and store a periodic SHA-256 hash of log files to detect tampering.
Example scenario: 12-person defense contractor
Scenario: Acme Engineering has a single office with a server closet and open office space where laptops that process FCI are kept. Acme uses a cloud badge system for the front door and a mechanical lock for the server closet. Implementation: install an inexpensive smart deadbolt with audit capability on the server closet (Z-Wave or HID small-form controller) and integrate its events to the cloud dashboard. For visitor control, use a tablet-based check-in app that emails signed PDFs to security@acme.com and stores logs in S3 with Object Lock enabled. Configure cameras to keep 30 days of footage and export metadata to the central log. Weekly, the office manager runs a CSV export of badge events, computes SHA-256 checksums, and copies logs to a secure USB kept in a locked safe as a secondary store. This gives a demonstrable chain of custody and stored artifacts for an auditor.
Log review, alerting, and incident response
Logging without review is low value. Define a review cadence: automated daily alerting for critical events (access outside business hours, door forced-open, access to server closet by non-admins) and human triage weekly/monthly. Configure alerts via email/SMS or integrate with a lightweight SIEM or monitoring tool to reduce noise — thresholds for small teams might be any after-hours entry or three failed access attempts within five minutes. Document escalation procedures: who is contacted, how video is pulled, and how evidence is preserved. Include checklists so any staff member can export the relevant log slices and transfer them to immutable storage in response to an incident.
Retention, protection, and documentation best practices
Best practices include defined retention in your security policy (e.g., "Physical access logs will be retained for a minimum of 180 days"), integrity controls (periodic hashing and restricted access), and documented procedures for log acquisition during an investigation. Keep an inventory that maps each log source to its retention and owner (e.g., Front Door Badge — CloudVendorX — Security Lead). If you use third-party vendors, maintain a contract addendum that requires timely access to audit logs and describes export formats (CSV, JSON) and API endpoints so you can produce evidence without vendor delays.
Risks of not implementing physical access audit logs
Without reliable physical access logs you face heightened risk of unauthorized access to FCI, inability to investigate suspected compromises, failure in contractual compliance (which can lead to losing government contracts), and reputational harm. Practical consequences include missed indicators of compromise (for example, a contractor entering a workspace at night and removing an unencrypted laptop) and an inability to demonstrate due care during an audit—both of which can trigger corrective action plans or contract termination.
In summary, small businesses can meet FAR 52.204-21 and CMMC 2.0 Level 1 PE.L1-B.1.IX by scoping controlled areas, deploying reliable log-producing devices, centralizing and protecting logs (timestamps, NTP, hashing, immutable storage), establishing review and alerting processes, documenting retention and procedures, and training staff on evidence preservation—an approach that is practical, affordable, and demonstrable to auditors.
