Physical Access Logs
Maintain audit logs of physical access.
What an assessor scores, the objectives
PE.L2-3.10.4 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.audit logs of physical access are maintained
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For PE.L2-3.10.4, an assessor uses these:
Physical and environmental protection policy; procedures addressing physical access control; system security plan; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combina tion changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; other relevant documents or records
Personnel with physical access control responsibilities; personnel with information security responsibilities
Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices
What it means, in context
Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both . System components (e.g., w orkstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.
Make sure you have a record of who accesses your facility (e.g., office, plant, factory). You can do this in writing by having employees and visitors sign in and sign out or by electronic means such as badge readers. Whatever means you use, you need to retain the access records for the time period that your company has defined. Example You and your cow orkers like to have friends and family join you for lunch at the office on Fridays. Your small company has just signed a contract with the DoD, however, and you now need to document who enters and leaves your facility. You work with the reception staff to ensure that all non-employees sign in at the reception area and sign out when they leave [a]. You retain those paper sign- in sheets in a locked filing cabinet for one year. Employees receive badges or key cards that enable tracking and logging access to company facilities. Potential Assessment Considerations • Are logs of physical access to sensitive areas (both authorized access and visitor access) maintained per retention requirements [a]? • Are visitor access records retained for as long as required [a]?
What passing evidence looks like
The physical access log itself: a visitor and access log book or badge system export with real entries. This requirement can never sit on a POA&M.
Common ways contractors fail PE.L2-3.10.4
- !POA&M blocked: must be MET on assessment day.
- !Empty logs read as unused. Start the log now so it has months of real entries by assessment.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove PE.L2-3.10.4, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
PE.L2-3.10.4 questions, answered
How many points is CMMC requirement PE.L2-3.10.4 worth?+
PE.L2-3.10.4 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.
Can PE.L2-3.10.4 be placed on a POA&M?+
No. PE.L2-3.10.4 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does PE.L2-3.10.4 belong to?+
PE.L2-3.10.4 is in the Physical Protection (PE) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.10.4
- FAR Clause 52.204-21 Partial b.1.ix