← Custodia
Practice 9 of 15·FAR 52.204-21(b)(1)(ix)·PEPhysical Protection

PE.L1-b.1.ix

Escort visitors, log access, manage keys

Visitors don't roam unaccompanied through areas that hold FCI. You keep a simple log of who came in and when, and you keep track of the keys / badges that let people into those areas. "Visitors" includes vendors, delivery drivers entering past the front desk, and subcontractors not on your team.

Official text

Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

FAR 52.204-21(b)(1)(ix), CMMC Level 1 v2.13 Assessment Guide

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

  • A visitor log book at the front desk (paper is fine).
  • A keyholder roster: who has a key to the office, the trailer, the file cabinet, the server closet.
  • Escort policy: "visitors do not enter the shop floor / trailer unaccompanied."
  • Badge / key audit done annually, returned keys logged on departure.
  • A line on the offboarding checklist: "collect badge / keys."

Common ways small shops fail this

  • No visitor log at all — delivery drivers and HVAC techs walk through the office unsupervised.
  • Keys handed out years ago and never tracked when employees left.
  • Subs from another company unescorted in the trailer.
  • Cleaning crew with a master key never vetted or logged.
  • Lost badge / key not reported, locks never re-keyed.

How to fix it in a weekend

  1. 1Put a notebook at the front desk: visitor name, company, time in, time out, escort.
  2. 2Build a one-page key roster. Update when someone leaves; collect keys.
  3. 3Write a one-sentence "visitors must be escorted past the front desk" rule and post it.
  4. 4Re-key any lock that gives access to FCI areas when keys go missing.
  5. 5Schedule a quarterly badge / key audit on calendar.

FAQ

FAR has three sub-parts here ((ix), audit log, and key control). Aren't those three separate practices?+

In the CMMC L1 model and the FAR text, those three actions sit under a single safeguarding requirement at (b)(1)(ix). User-facing, this counts as one practice — practice 9 of 15. The three pieces (escort, log, key control) all have to be present for the practice to be MET. The legacy 800-171 mapping splits them into three practices for internal auditing purposes only.

Related references

Clause

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

Glossary

Federal Contract Information

Doing all 15 yourself? Use the checklist.

Custodia's free CMMC Level 1 checklist walks the same 15 requirements with a self-assessment workflow, generates your SSP and affirmation memo, and posts your SPRS score for you.

Open the checklist →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)