3.10.4 — Log Physical Access

The One-Liner

If the assessor asks who entered your server room last Tuesday, can you answer?

What It Says

Maintain audit logs of physical access.

What It Actually Means

Keep records of who accesses secured areas — badge swipe logs, sign-in sheets, camera footage. Retain for the same period as your digital audit logs (typically 90 days minimum, one year preferred). Review periodically for anomalies — unusual after-hours access, unknown individuals, access by people no longer authorized.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are physical access audit logs maintained?	Badge logs, sign-in sheets, and camera footage retained per defined retention period

---

What to Have Ready on Assessment Day

Documents they’ll review: Physical and environmental protection policy; physical access log retention policy; badge reader logs; visitor sign-in sheets; camera footage retention settings; system security plan

People they’ll talk to: Personnel with physical access responsibilities; information security personnel

Live demos they’ll ask for: “Show me the physical access log for the server room.” “Pull up who entered last Tuesday.” “How long are badge logs retained?” “Show me the visitor sign-in sheets from the past month.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me the physical access log for the server room.”
• “How long do you retain badge access logs?”
• “Show me visitor sign-in records from the past month.”
• “Do you review physical access logs? How often?”

Real-World Example

A defense contractor’s badge access system logs every entry to the server room and CUI work area — retained for one year. Visitor sign-in sheets are scanned and filed monthly. Camera footage is retained 30 days. The IT Security Lead reviews badge access logs monthly for anomalies (after-hours access, unknown badge IDs). The assessor asks for server room access records from the previous month and the admin produces the badge log within minutes.

---

Where Companies Trip Up

No logs. Door is locked but no record of who enters. Badge readers with logging solve this. Manual sign-in sheets are acceptable for areas without badge readers.

Logs not retained. Badge logs overwritten after 7 days. Configure retention to match your digital log retention policy.

No review. Logs exist but nobody looks at them. Monthly review for anomalies.

---

How to Talk About This

To a CEO or Board

Complete records of who accesses every secured area and when — badge logs retained for one year, reviewed monthly.

To an Engineering Team

Badge access logs retained 1 year. Visitor sign-in sheets scanned and filed. Camera footage 30 days. Monthly review for anomalies. Manual sign-in for areas without badge readers.

---

Connected Requirements

Requirement	Why it matters here
3.10.1 — Lock the Doors	Access controls that generate the logs
3.10.3 — Escort Every Visitor	Visitor logs are a subset of physical access logs
3.3.1 — Log Everything	Physical access logs complement digital audit logs

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: PE.L2-3.10.4 | SPRS Weight: 1 point | POA&M Eligible: Yes