Physical Security CMMC PE Domain Visitor Logs Escort Rules // 7 MIN READ

CMMC Physical Security Requirements

Visitor Logs, Escort Rules, and Walkthrough Evidence

Physical security surprises contractors more than any other CMMC domain. Organizations spend months on network architecture and SSP documentation — and then an assessor watches a delivery driver walk unescorted through the loading dock.

The CMMC Physical Protection (PE) domain covers six practices from NIST SP 800-171: limiting physical access, escorting visitors, maintaining physical access logs, managing access devices, monitoring the facility, and safeguarding alternate work sites. All six apply to every location where CUI is present — office, lab, warehouse, or home office.

Physical protection is evaluated with the same rigor as technical controls — and it is verified against what an assessor sees, not just what the SSP describes.

The Six Physical Protection Practices at a Glance

PE.L1-3.10.1
Limit Physical Access

Maintain a documented authorized access list. Enforce it with locked doors, cipher locks, or badge readers. Cross-reference with your logical access list — if only four people handle CUI, four people should have physical access to the CUI room.

PE.L1-3.10.3
Escort Visitors

Every non-authorized visitor in a non-public area must be escorted and monitored. This includes delivery personnel, vendors, and subcontractors. Visitor badges identify unescorted individuals in common areas.

PE.L1-3.10.4
Physical Access Logs

Maintain audit records of who enters and exits restricted areas. Paper sign-in sheets, badge reader exports, and digital visitor management systems all qualify. The log must cover every entry point — not just the front desk.

PE.L1-3.10.5
Manage Physical Access Devices

Inventory every key, badge, and cipher code. Document who holds each device. Change codes and retrieve keys when employees leave. Keep the history of those changes — assessors will ask for it.

PE.L2-3.10.2
Monitor Facility

Install and actively monitor security cameras covering CUI room entry points. Retain recordings per policy. Secure the recording server — it is now an in-scope asset that must be inventoried and documented in your SSP.

PE.L2-3.10.6
Alternate Work Sites

CUI at home offices requires documented physical safeguards. Acceptable Use Policy must address workspace privacy and device security. Evaluated through policy review and employee interviews.

Physical Security Evidence: The Examine / Interview / Test Matrix

ControlExamineInterviewTest
PE.L1-3.10.1
Limit Access		 Physical access policy; authorized access list; termination/transfer records showing access revoked Who is on the authorized access list? How is it updated when someone transfers or is terminated? Verify a recently terminated employee's badge/key has been revoked — attempt access using old credentials
PE.L1-3.10.3
Escort Visitors		 Visitor escort policy; visitor log entries showing escort assignment; visitor badge issuance records Walk the assessor through your visitor arrival process — from front desk sign-in through escort assignment Observe a visitor reception scenario; verify delivery personnel entering via alternate entrances are also escorted
PE.L1-3.10.4
Access Logs		 Physical access log (paper or digital); badge reader exports showing entry/exit timestamps Who reviews the access logs? How often? What happens if an anomaly is detected? Attempt an unauthorized entry and verify the attempt is logged; confirm logs are protected from tampering
PE.L1-3.10.5
Access Devices		 Key/badge inventory showing who holds each device; issuance and return records; code change history What is the process when an employee leaves — how are keys, badges, and codes recovered or changed? Verify the key/badge inventory matches current authorized personnel; confirm codes were changed after last termination
PE.L2-3.10.2
Monitor Facility		 Camera deployment policy; coverage diagram; recording retention schedule; secured DVR location Who monitors cameras and how often? Where are recordings stored and who has access? Verify camera recordings are stored in a secured location accessible only to authorized personnel
PE.L2-3.10.6
Alternate Sites		 Remote work policy; AUP for home offices; physical controls documentation How does the policy address physical CUI protection at home offices? What are employee obligations? Review a sample of remote employees — confirm CUI devices are not accessible to family members or visitors

The Window Trap and Other Boundary Failures

⚠ The Problem — Cipher Lock + Transparent Window
Physical entry is blocked by a cipher-locked door. But an unescorted factory worker standing in the adjacent hallway has a direct line of sight to a CUI monitor through a glass partition.

The door control passes. The physical boundary fails. CMMC requires that CUI cannot be visually accessed by unauthorized individuals — not just that they cannot physically enter.
vs
✓ The Fix — Opaque Barrier Eliminates Line of Sight
Physical boundaries must prevent both entry and observation. Solutions include:

Frosted window film — blocks line of sight while preserving light
Privacy screens on monitors facing windows or openings
Opaque partitions replacing transparent glass walls
Monitor repositioning so screens face away from observation points
A cipher lock that stops unauthorized entry does not stop unauthorized observation. If an unescorted worker can look through a window and read CUI on a monitor, the physical boundary has failed — regardless of what the door controls say.

Five Common Failures That Derail Assessments

  • Unescorted Loading Dock

    A perfect front lobby log means nothing if delivery drivers enter through the back unescorted. All entry points — including loading docks, emergency exits, and vendor entrances — must be covered.

  • Window Trap

    A cipher lock on the door does not protect CUI if an unauthorized employee can look through a glass window and read a monitor. Windows must be frosted, blocked, or monitors repositioned.

  • Missing Placards

    CUI rooms must have clearly visible warning indicators at the entrance. Assessors confirm this during the walkthrough — missing or hidden placards are immediate findings.

  • Camera Recording Server

    The DVR or NVR storing security footage is an in-scope asset. It must be access-controlled, inventoried, and documented in the SSP — just like any other CUI-adjacent system.

  • Printers in Common Areas

    Output devices that can print CUI must be physically restricted. A printer in an open break room visible to unauthorized personnel is a physical boundary failure, regardless of access controls on the print queue.

Walkthrough Strategy: Consistency Between Policy and Practice

Whether conducted on-site or by live video, the walkthrough tests whether your SSP matches your facility. Brief your walkthrough guide on every camera angle, cipher lock location, placard placement, and visitor log position. An unprepared guide signals poor control awareness — even if every control is actually in place.

📱 Live Assessment Walkthrough — Assessor Checklist
Entry Points & Access Control
All entry points identifiedFront, rear, loading dock, emergency exits — every door that leads to a CUI area
Camera or physical observation of all entry points
Cipher lock / badge reader functionalDemonstrated live — assessor may request a badge swipe or code entry
Live demonstration on camera
CUI room placard visible at entranceSignage posted at every restricted area — confirmed during walkthrough
Camera aimed at entrance signage
Observation & Line of Sight
No unobstructed windows into CUI areasGlass walls, partitions, or windows facing common areas must be frosted or blocked
Camera sweeps hallway-facing windows
Monitor positioningScreens displaying CUI cannot be visible from outside the restricted area
Assessor confirms from corridor view
Visitor & Access Logs
Visitor log shown and currentPaper or digital — must show recent entries with escort assigned
Camera on log book or screen share
Badge/key inventory currentList matches current authorized personnel — no terminated employees still listed
Document review + interview
Cameras & Recording
Camera coverage confirmedEntry points to CUI areas on camera — no blind spots at access-controlled doors
Live camera feed shown to assessor
Recording server secured and inventoriedDVR/NVR in locked room — access controlled and documented in SSP
Physical or camera confirmation of locked location
Your SSP says "physical access is limited to authorized personnel." Your assessor's job is to verify whether the physical reality matches that statement — camera angle by camera angle, door by door.

Frequently Asked Questions

What are the physical security requirements in CMMC?
CMMC Level 1 and Level 2 both require the six practices in the PE domain: limiting physical access, escorting visitors, maintaining physical access logs, managing access devices, monitoring the facility with cameras, and safeguarding alternate work sites. All apply wherever CUI is present.
What is a visitor log for CMMC and what must it include?
A visitor log is the audit record required by PE.L1-3.10.4. It must capture who entered and exited restricted areas, when, and with which escort. Paper sign-in sheets, badge reader exports, and digital visitor management systems all qualify — but the log must cover every entry point, not just the main reception.
Do visitors have to be escorted for CMMC?
Yes. PE.L1-3.10.3 requires that every non-authorized individual in a non-public area be escorted and monitored. This includes delivery personnel, maintenance vendors, and visiting subcontractors — not only formal guests arriving through the front lobby.
How do assessors verify physical security controls?
Assessors use all three CMMC assessment methods: Examine (reviewing policies, logs, and inventories), Interview (asking staff to walk through procedures), and Test (observing controls in action — including conducting the facility walkthrough, attempting access with revoked credentials, and confirming camera coverage).
Do badge systems replace paper visitor logs for CMMC?
Badge systems are fully acceptable as physical access logs under PE.L1-3.10.4, provided the system captures entry and exit timestamps for every access-controlled entry point. The log must be retained per your records retention policy and available for assessor review.
What are CMMC requirements for alternate work sites?
PE.L2-3.10.6 requires organizations to protect CUI at alternate work sites — including home offices. This means a documented physical safeguards policy, an AUP addressing workspace privacy, and employee acknowledgment. Assessors evaluate through policy review and interviews with remote employees.

The Bottom Line

Physical protection is not a checkbox. It is evaluated with the same rigor as every technical control, and it is verified against what an assessor sees — not just what the SSP describes.

Walk every entry point, cover every window, post every placard, document every key and code change, and make sure your walkthrough guide knows the facility as well as the assessor will by the end of day one.

Paper policy without physical reality is a guaranteed finding. Document it, implement it, walk it — and make sure what the assessor sees matches what the SSP says.

Related Articles

How Assessors Evaluate Evidence: Examine, Interview, and TestHow to Write a CMMC System Security Plan (SSP)Adequate vs Sufficient Evidence in CMMCCMMC Level 2 Assessment Scope ExplainedCMMC Remote Work Scoping