3.10.4 — Log Physical Access

The One-Liner

If the assessor asks who entered your server room last Tuesday, can you answer?

Cannot Be on POA&M

Despite being a 1-point requirement, PE.L2-3.10.4 is one of six requirements explicitly excluded from POA&M eligibility per 32 CFR § 170.21(a)(2)(iii). It must be MET on assessment day. There is no conditional certification path for this requirement — even though the point value would normally allow it.

What It Says

Maintain audit logs of physical access.

What It Actually Means

This is one of 17 NIST SP 800-171 requirements that also map to a CMMC Level 1 practice (FAR 52.204-21 — FCI protection).

Keep records of who accesses secured areas — badge swipe logs, sign-in sheets, camera footage. Retain for the same period as your digital audit logs (typically 90 days minimum, one year preferred). Review periodically for anomalies — unusual after-hours access, unknown individuals, access by people no longer authorized.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are physical access audit logs maintained?	Badge logs, sign-in sheets, and camera footage retained per defined retention period

---

What to Have Ready on Assessment Day

Documents they’ll review: Physical and environmental protection policy; physical access log retention policy; badge reader logs; visitor sign-in sheets; camera footage retention settings; system security plan

People they’ll talk to: Personnel with physical access responsibilities; information security personnel

Live demos they’ll ask for: “Show me the physical access log for the server room.” “Pull up who entered last Tuesday.” “How long are badge logs retained?” “Show me the visitor sign-in sheets from the past month.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me the physical access log for the server room.”
• “How long do you retain badge access logs?”
• “Show me visitor sign-in records from the past month.”
• “Do you review physical access logs? How often?”

Real-World Example

A defense contractor’s badge access system logs every entry to the server room and CUI work area — retained for one year. Visitor sign-in sheets are scanned and filed monthly. Camera footage is retained 30 days. The IT Security Lead reviews badge access logs monthly for anomalies (after-hours access, unknown badge IDs). The assessor asks for server room access records from the previous month and the admin produces the badge log within minutes.

---

Where Companies Trip Up

No logs. Door is locked but no record of who enters. Badge readers with logging solve this. Manual sign-in sheets are acceptable for areas without badge readers.

Logs not retained. Badge logs overwritten after 7 days. Configure retention to match your digital log retention policy.

No review. Logs exist but nobody looks at them. Monthly review for anomalies.

---

How to Talk About This

To a CEO or Board

Complete records of who accesses every secured area and when — badge logs retained for one year, reviewed monthly.

To an Engineering Team

Badge access logs retained 1 year. Visitor sign-in sheets scanned and filed. Camera footage 30 days. Monthly review for anomalies. Manual sign-in for areas without badge readers.

---

Connected Requirements

Requirement	Why it matters here
3.10.1 — Lock the Doors	Access controls that generate the logs
3.10.3 — Escort Every Visitor	Visitor logs are a subset of physical access logs
3.3.1 — Log Everything	Physical access logs complement digital audit logs