CMMC 2.0 PE.L1-3.10.4 (NIST 800-171r2 3.10.4) requires that organizations maintain audit logs of physical access to systems containing FCI. Without retained access logs, there is no way to investigate a physical security incident, verify that only authorized individuals entered sensitive areas, or demonstrate accountability during a CMMC assessment. Physical access logs — key card entry records, server room door logs — are the physical equivalent of application audit trails. The absence of a log retention policy or log review procedure is a finding in any CMMC formal assessment.
Low severity because physical access logging is always skipped in code audits — the gap surfaces only during physical facility assessment, where it can escalate to a higher severity finding.
Document your physical access log procedures in SECURITY.md. Include retention period, log types, and review frequency — all are examined during CMMC assessments:
## Physical Access Logs (PE.L1-3.10.4)
- Key card and badge reader logs retained for a minimum of 90 days
- Server room door access logged electronically; logs reviewed monthly
- Anomalous access events (after-hours, repeated failed attempts) escalated to security team
- Log access restricted to authorized personnel only
Ensure your access control hardware vendor provides exportable logs and that the export/review process is tested at least quarterly. CMMC assessors will request log samples.
ID: gov-cmmc-level-1.physical-protection.access-logs
Severity: low
CMMC Practice: PE.L1-3.10.4
What to look for: This check evaluates physical facility controls that cannot be verified through code analysis and is automatically skipped. Count all physical access logging references in documentation. Full CMMC Level 1 compliance requires at least 1 log retention policy covering: key card access logs, door entry/exit records, server room access logs.
Pass criteria: This check is automatically skipped because physical facility controls cannot be verified through code inspection alone. If physical security documentation exists, at least 1 reference to access log retention is present. Report even on skip: "Physical access log documentation status: [present/absent]."
Fail criteria: This check cannot fail through code inspection — it is automatically skipped. Physical facility inspection is required for PE.L1-3.10.4 compliance. Example: "PE.L1-3.10.4 cannot be evaluated through code — requires physical site audit"
Skip (N/A) when: ALWAYS — this check evaluates physical facility controls that cannot be verified through code inspection.
Detail on skip: "Physical protection practice PE.L1-3.10.4 — maintain audit logs of physical access to organizational systems. Outside scope of code-level audit. Assess through physical facility inspection."
Remediation: Document your physical access logging procedures in SECURITY.md:
## Physical Access Logs
- Card reader logs retained for 90 days minimum
- Server room access logged and reviewed monthly