PE.L2-3.10.3: Escort visitors and monitor visitor activity

📖 What This Means

This control requires that visitors to your facility are escorted at all times and their activities are monitored to ensure they do not gain unauthorized access to areas containing Controlled Unclassified Information (CUI). Essentially, it means you need a system to identify visitors, assign an escort, and keep track of their movements within your facility. For example, if a contractor comes to repair office equipment, they should be met at reception, signed in, and accompanied by an employee to the specific area where the repair is needed. This prevents accidental or intentional access to sensitive information or areas.

🎯 Why It Matters

Unescorted or unmonitored visitors pose a significant physical security risk. They could accidentally or intentionally access CUI, steal sensitive information, or introduce malicious devices. For example, in 2018, a breach at a defense contractor occurred when an unescorted visitor installed malware on a workstation, compromising sensitive military data. The financial and reputational damage from such incidents can be severe, with potential fines, lost contracts, and reputational harm. From the DoD/CMMC perspective, this control is critical to ensuring the physical security of CUI, as it directly prevents unauthorized access to sensitive areas.

✅ How to Implement

N/A - This control is specific to physical facilities and does not directly apply to cloud environments.

⏱️

Estimated Effort

Implementation typically takes 1-2 weeks for small/medium facilities. Requires basic physical security knowledge and coordination with facility management.

📋 Evidence Examples

Visitor Log

Format: Spreadsheet (Excel/Google Sheets)

Frequency: Daily

Contents: Visitor name, company, purpose, time in/out, escort name.

Collection: Export from visitor management system or manual entry.

Visitor Escort Policy

Format: PDF/Document

Frequency: Annual review

Contents: Detailed procedure for escorting visitors and monitoring activity.

Collection: Download from document management system.

Security Camera Footage

Format: Video file

Frequency: As needed (retain for 30 days)

Contents: Recording of visitor activity in common areas.

Collection: Export from CCTV system.

Visitor Badge Inventory

Format: Spreadsheet

Frequency: Weekly

Contents: List of temporary badges issued and returned.

Collection: Manual tracking or system export.

Training Records

Format: PDF/Spreadsheet

Frequency: Annual

Contents: Employee training on visitor escort procedures.

Collection: Export from LMS (Learning Management System).

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For PE.L2-3.10.3 ("Escort visitors and monitor visitor activity"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe the physical security controls protecting CUI systems, including badge access, visitor management, physical access logging, and alternate work site requirements. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"PE.L2-3.10.3 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to escort visitors and monitor visitor activity. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"PE.L2-3.10.3 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to escort visitors and monitor visitor activity. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"PE.L2-3.10.3 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all physical locations where CUI is processed or stored
• Document physical access control mechanisms (badge readers, locks, cameras)
• Specify CUI area boundaries within each facility
• Ensure this control covers all systems within your defined CUI boundary where escort visitors and monitor visitor activity applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Physical Protection Policy
📄 Badge access logs
📄 Visitor logs
📄 Alternate work site approval forms
📄 Evidence artifacts specific to PE.L2-3.10.3
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will physically inspect CUI areas, test badge access controls, review visitor logs, and verify that terminated employees' badges are deactivated promptly.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented visitor escort policy?

✅ YES → Proceed to Q2.

❌ NO → GAP: Develop and implement a visitor escort policy within 1 week.

Remediation:

Use templates from NIST SP 800-171 or CMMC guidelines.

Question 2: Are all visitors required to sign in and wear a temporary badge?

✅ YES → Proceed to Q3.

❌ NO → GAP: Implement a visitor sign-in process and badge system within 2 weeks.

Remediation:

Purchase a visitor management system like Envoy or Sine.

Question 3: Are visitors escorted at all times while in the facility?

✅ YES → Proceed to Q4.

❌ NO → GAP: Train employees on escort procedures and enforce compliance.

Remediation:

Conduct training sessions within 1 week.

Question 4: Are visitor logs maintained and reviewed regularly?

✅ YES → Proceed to Q5.

❌ NO → GAP: Implement a process for maintaining and reviewing visitor logs.

Remediation:

Assign responsibility to a specific team member.

Question 5: Are security cameras used to monitor visitor activity?

✅ YES → You are compliant.

❌ NO → GAP: Install security cameras in common areas within 3 weeks.

Remediation:

Choose a CCTV system like Axis or Hikvision.

⚠️ Common Mistakes (What Auditors Flag)

1. Visitor logs are incomplete or missing entries.

Why this happens: Manual processes are error-prone or not consistently followed.

How to avoid: Use an automated visitor management system.

2. Visitors are not escorted at all times.

Why this happens: Employees are unaware of or ignore escort policies.

How to avoid: Regular training and enforcement of policies.

3. Visitor badges are not collected or tracked.

Why this happens: No system in place to manage badge inventory.

How to avoid: Implement a badge tracking system.

4. Security camera footage is not retained for the required period.

Why this happens: Storage settings are not configured correctly.

How to avoid: Set retention policies to 30 days minimum.

5. Escort policy is not documented or reviewed.

Why this happens: Overlooked during policy development.

How to avoid: Include in annual security policy reviews.

📚 Parent Policy

This practice is governed by the Physical Protection Policy

View PE Policy →

📚 Related Controls

PE.L2-3.10.1 - Limit physical access to facilities PE.L2-3.10.2 - Protect and monitor physical access to CUI PE.L2-3.10.4 - Maintain audit logs of physical access