Requirement
FAR 52.204-21 / CMMC 2.0 Level 1 - Control - PE.L1-B.1.IX – Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
Understanding the Requirement
This control requires that your organization prevents unauthorized physical access to facilities and sensitive equipment by identifying who may access spaces, limiting access to authorized personnel only, tracking visitor activity, and controlling physical access devices such as keys, locks, and badges. As part of FAR 52.204-21 / CMMC 2.0 Level 1, the objective is to make sure authorized individuals are known, physical access to systems, equipment, and operating environments is restricted, visitor movements are supervised, and physical access devices are accounted for and managed.
Technical Implementation
- Visitor escort and badge policy: Create a simple written policy that requires all non-employees to sign in, wear a distinct visitor badge, and be escorted by an authorized employee at all times while in controlled areas. Define controlled areas (where Federal Contract Information or other sensitive assets are located) and distribute the policy to reception, security, and team leads.
- Audit logging and retention: Implement audit logs for physical access. For SMBs this can be a hybrid approach: electronic badge-reader logs for staff and paper sign-in/sign-out logs for visitors. Specify a retention period (e.g., 1 year) in your policy, store paper records in a locked cabinet, and back up electronic logs to a secure location with access controls and regular exports for review.
- Credential lifecycle and deprovisioning: Maintain a roster that links people to issued physical access devices (keys, badges, key cards). When someone leaves, changes roles, or returns keys, immediately update the roster, revoke badge access in the door control system, and record serial numbers or badge IDs. Implement a checklist for HR and facilities to trigger deprovisioning on termination or role change.
- Inventory and control of devices: Assign serial numbers or unique IDs to physical devices (keys, key fobs, card readers) and keep an inventory that records current custodian, issue date, and access level. For mechanical keys consider keyed-alike risks and rekey locks if keys are lost or not returned; for electronic badges implement role-based access and minimize door groups where practical.
- Monitoring and periodic review: Schedule monthly or quarterly reviews of access logs to detect anomalies (multiple entries outside business hours, badges used by different locations, repeated visitor entries). Train reception and security staff to escalate unexpected visitors, tailgating, or badge misuse and to document incidents.
- Low-cost technical controls for SMBs: Where budget is limited, use a single-door badge reader at main entrances, simple CCTV for high-risk zones (notice posted to satisfy policy), and digital log exports to a secure USB or cloud backup. Combine these with enforced escorting and regular manual inventory checks to meet the control without heavy investments.
Example in a Small or Medium Business
A 35-person engineering firm that recently won a contract requiring controlled handling of Federal Contract Information (FCI) sets up a straightforward visitor process. Reception is instructed to check IDs, have all non-employees sign a paper log, and issue a distinct visitor badge that must be visible at all times. Visitors are either escorted by the host or directed to a designated public area for meetings. Employees are issued proximity badges tied to their name and role; the facilities manager keeps an electronic roster mapping badge IDs to staff and responsibilities. When an engineer retires, HR notifies facilities, the badge is disabled within hours, and returned keys are recorded against serial numbers and marked in the inventory. The company retains visitor sign-in sheets in a locked cabinet for one year, exports monthly badge logs to a secured folder for quarterly review, and documents any incidents (unauthorized access or tailgating) to improve procedures. Over time they add a badge reader at the main entrance so visitors cannot enter without reception verification, reducing unescorted entries.
Summary
Combining clear policy (escort, badge and sign-in requirements, retention periods) with measurable technical steps (badge readers, log retention, device inventories, and deprovisioning processes) gives SMBs a practical path to meet PE.L1-B.1.IX. These measures ensure only authorized individuals access systems and equipment, visitor activity is monitored and recorded, and physical access devices are tracked and controlled—reducing the risk of accidental or malicious exposure of sensitive information while remaining achievable for small organizations.
