CMMC 2.0 PE.L1-3.10.3 (NIST 800-171r2 3.10.3) requires that visitors to facilities where FCI is processed or stored are escorted and monitored. Unescorted visitors in areas containing workstations, servers, or printed FCI can observe screens, photograph documents, or access unlocked machines without any technical barrier. This control has no software implementation — it is a procedural and physical control assessed through facility inspection. Even when this check is automatically skipped in a code audit, the absence of visitor management procedures is a direct CMMC assessment finding during a physical review.
Info severity because visitor escort controls are outside code-audit scope and always skipped — the gap surfaces during physical C3PAO assessment, not code inspection.
Add visitor management procedures to the SECURITY.md physical security section. These documented procedures are reviewed during CMMC formal assessments as evidence of policy:
## Visitor Policy (PE.L1-3.10.3)
- All visitors must sign in at reception with government-issued ID
- Visitor badges issued and visibly worn throughout the visit
- Visitors escorted by an authorized employee in all secure areas
- Visitor access limited to areas necessary for their stated purpose
- Visitor log retained for a minimum of 90 days
Store the visitor log — physical or digital — where it can be produced on request during a C3PAO assessment.
ID: gov-cmmc-level-1.physical-protection.visitor-escort
Severity: info
CMMC Practice: PE.L1-3.10.3
What to look for: This check evaluates physical facility controls that cannot be verified through code analysis and is automatically skipped. Count all visitor management policy references in documentation. For full CMMC Level 1 compliance covering at least 3 requirements: visitor sign-in procedures, visitor badge policies, escort requirements in secure areas, and visitor access logs.
Pass criteria: This check is automatically skipped because physical facility controls cannot be verified through code inspection alone. If physical security documentation exists, at least 1 reference to visitor management procedures is present. Report even on skip: "Visitor management documentation status: [present/absent]."
Fail criteria: This check cannot fail through code inspection — it is automatically skipped. Physical facility inspection is required for PE.L1-3.10.3 compliance. Example: "PE.L1-3.10.3 cannot be evaluated through code — requires physical site audit"
Skip (N/A) when: ALWAYS — this check evaluates physical facility controls that cannot be verified through code inspection.
Detail on skip: "Physical protection practice PE.L1-3.10.3 — escort visitors and monitor visitor activity. Outside scope of code-level audit. Assess through physical facility inspection."
Remediation: Add visitor management procedures to your SECURITY.md physical security section:
## Visitor Policy
- All visitors must sign in at reception
- Visitors must be escorted in secure areas