CMMC Practice PE.L1-3.10.4 – Physical Access Logs: Maintain audit logs of physical access.
Links to Publicly Available Resources
The document describes the importance of integrating physical and logical security under a single governing body or department. This document provides self-assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 1. This article gives an overview of how to stay HIPAA compliant by maintaining good audit log hygiene. This special publication gives an overview of physical access control guidelines for organizational employees and visitors. This NIST Special Publication provides practical guidance on developing and maintaining effective log management practices. This SANS whitepaper provides a broad overview of the importance of physical security as it intersects with cybersecurity. This example policy from the State of Michigan provides guidance for personnel for the protection of Criminal Justice Information (CJI).
Discussion [NIST SP 800-171 R2]
Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., written log of individuals accessing the facility), automated (e.g., capturing ID provided by a Personal Identity Verification (PIV) card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.
Further Discussion
Make sure you have a record of who accesses your facility (e.g., office, plant, factory). You can do this in writing by having employees and visitors sign in and sign out or by electronic means such as badge readers. Whatever means you use, you need to retain the access records for the time period that your company has defined.