PE.L2-3.10.4 requires that organizations maintain audit logs of physical access to organizational facilities and systems that process, store, or transmit Controlled Unclassified Information (CUI). This practice is derived from NIST SP 800-171 Rev 2 security requirement 3.10.4, which addresses the logging of physical entry and exit events through access control mechanisms such as card readers, biometric systems, and visitor management logs. Audit logs must capture sufficient detail — including who accessed a facility, at what time, and through which entry point — to support after-the-fact investigation of physical security incidents. Logs must be retained in a manner that ensures their integrity and availability for review by authorized personnel. This practice complements logical access control by ensuring that physical access to CUI environments is as auditable as electronic access.
Where it stops · what it isn't
- —This practice does not require real-time monitoring or alerting on physical access events — only that logs are maintained for after-the-fact review.
- —This practice does not govern logical or electronic access logs, which are addressed under the Audit and Accountability (AU) domain practices.
- —This practice does not specify the minimum retention period for physical access logs, though organizational policy and contract requirements may impose specific durations.
- —This practice does not mandate the specific technology used to capture physical access (e.g., electronic badge systems vs. paper visitor logs), provided logs are sufficiently detailed.
- —This practice does not cover access logs for facilities that do not house systems or environments involving CUI.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.