This post explains, step-by-step, how to implement and maintain audit logs of physical access to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PE.L2-3.10.4, with practical configuration details, small-business examples, and compliance tips so you can create an auditable, secure trail for Controlled Unclassified Information (CUI).
What this control requires and why it matters
At its core, PE.L2-3.10.4 requires organizations to capture auditable records of physical access events—who accessed which area, when, and whether access succeeded or failed—so investigators and compliance reviewers can reconstruct physical activity around CUI. For small businesses that handle CUI (e.g., defense subcontractors), this provides accountability and helps detect unauthorized entry, tailgating, or insider misuse; it is also often referenced in contract language and security assessments.
Step-by-step implementation plan
1) Define scope and logging points
Start by documenting all physical control points that protect spaces where CUI is stored or processed: exterior doors, server rooms, mantraps, mailrooms, and any shared rooms. For each point list the log sources you will capture: badge readers (card/PIN), door controller telemetry (open/close), turnstiles, visitor sign-in kiosks, and CCTV motion/event metadata. This scope document becomes part of your System Security Plan (SSP) for compliance evidence.
2) Choose log schema and minimum fields
Standardize what each physical access record must contain. At minimum include: ISO 8601 UTC timestamp, device ID (door/controller), location name, credential ID (badge number), subject name (when resolvable), event type (enter/exit/failed-auth), result (granted/denied), reader direction, and unique event ID. Use a structured format such as JSON or Common Event Format (CEF/LEEF) to simplify downstream parsing and SIEM ingestion.
3) Ensure accurate time and secure transport
Time accuracy is essential for correlating events with system logs and video. Configure door controllers, badge readers, video systems, and log collectors to sync to an internal NTP pool (or a reliable external NTP service) using authenticated NTP where possible. Transmit logs securely (TLS 1.2+ with certificate validation) to a centralized collector or SIEM; for legacy devices that only support unsecured syslog, use an on-premises forwarder to upgrade transport security.
4) Centralize collection, integrity, and retention
Centralize logs in a hardened log server or cloud SIEM. Apply immutability and integrity controls: enable WORM or Object Lock (e.g., AWS S3 Object Lock), hash records (SHA-256) and store hashes separately or sign logs with an HSM-backed key to detect tampering. Define a retention policy based on contract and risk—common small-business practice is 3 years for physical access logs tied to CUI, but validate against prime contracts or call the DFARS clause if applicable. Automate secure backups and test restores periodically.
5) Access controls, monitoring, and alerting
Restrict access to the centralized logs with role-based access control and MFA for analysts. Maintain an audit trail of who accessed the logs and when. Create automated alerts for key events: after-hours access to CUI areas, denied access followed by a grant (possible badge sharing), repeated failed attempts (reconnaissance), and access from deprovisioned badges. Correlate with CCTV (e.g., time-synced video clip) to validate suspicious activity and reduce false positives.
Real-world small-business examples and scenarios
Example 1: A 20-person defense subcontractor deploys cloud-managed badge readers (SaaS) and integrates them with their SIEM using the vendor’s secure webhook. They configure events to include badge ID, door ID, UTC timestamp, and success/failure. Retention is set to 3 years with S3 Object Lock; alerts for after-hours CUI-room access notify the security lead via email and Slack. Example 2: A small lab uses an on-premise access controller that only supports plaintext syslog; they implement a Raspberry Pi forwarder that receives local syslog and then forwards to the SIEM over TLS after canonicalizing the message into JSON and appending an HMAC to detect alteration.
Compliance tips and best practices
Keep these practical tips in mind: map each log source to CUI locations in your SSP; use automated correlation to reduce manual log review workload; include video clip retention tied to physical access events; enforce least privilege on log access and periodically audit who can view/modify logs; document your retention justification—whether contractual, legal, or risk-based—to defend your retention choices during assessment; and perform quarterly tabletop exercises that simulate an access incident to validate that logs, alerts, and video provide the expected trail.
Risks of not implementing this control
Failing to maintain physical access logs increases risk of undetected unauthorized access to CUI, weakens incident investigations, and can result in failed assessments, contract penalties, or loss of eligibility for future government work. Operationally, lack of logs means you cannot prove who entered a protected space after a data spill or theft, which hinders containment and forensic analysis and prolongs remediation and notification timelines.
Summary
Implementing PE.L2-3.10.4 is a practical, technical project: scope your protected spaces, standardize log fields, centralize and secure log transport and storage, enforce immutability and access controls, and automate monitoring and alerts. For small businesses, use managed services where appropriate to lower operational burden, but retain control over retention, integrity, and access authorization. With a documented plan, testable processes, and the technical controls outlined above (time sync, TLS, JSON/CEF logging, WORM storage, SIEM correlation), you’ll be able to demonstrate compliance and, more importantly, reduce the risk to CUI from physical threats.
