PE.L2-3.10.4: Maintain audit logs of physical access

📖 What This Means

This practice requires organizations to keep detailed records of who accesses physical facilities where Controlled Unclassified Information (CUI) is stored or processed. This includes logging entries, exits, and attempted access to secure areas. The goal is to create a trail that can be reviewed to detect unauthorized access or security incidents. For example, if an unauthorized person gains access to a server room, the audit log would show when and how they entered. Another example is monitoring visitor access to ensure they are escorted and only visit authorized areas. This practice helps ensure accountability and provides evidence for investigations.

🎯 Why It Matters

Failing to maintain physical access audit logs can leave organizations vulnerable to insider threats, unauthorized access, and physical breaches. For example, in 2019, a defense contractor experienced a breach when an unauthorized individual accessed a secure facility due to inadequate logging and monitoring. The breach resulted in the loss of sensitive data and a damaged reputation. From the DoD's perspective, maintaining audit logs is critical to ensuring the integrity of CUI and meeting compliance requirements. Without these logs, organizations cannot prove they are safeguarding sensitive information, which could lead to lost contracts or penalties.

✅ How to Implement

For cloud environments, integrate physical access logs with your cloud security tools.
Use cloud-based access control systems like AWS IAM Access Analyzer or Azure Active Directory.
Ensure logs are stored securely in a tamper-proof format, such as AWS CloudTrail or Azure Monitor.
Set up alerts for unusual physical access patterns.
Regularly review and audit access logs for compliance.

⏱️

Estimated Effort

Implementation typically takes 10-20 hours for small facilities. Requires basic knowledge of access control systems and logging tools.

📋 Evidence Examples

Access Control Policy

Format: PDF/DOC

Frequency: Annually or when changes occur.

Contents: Policy detailing logging requirements, retention periods, and review procedures.

Collection: Draft or update policy document.

Access Logs

Format: CSV/Log File

Frequency: Daily/Weekly.

Contents: Timestamp, user ID, access point, and access type (entry/exit).

Collection: Export from access control system.

Audit Report

Format: PDF

Frequency: Monthly.

Contents: Summary of log reviews, anomalies detected, and actions taken.

Collection: Generate report from log analysis.

Configuration Screenshots

Format: PNG/JPG

Frequency: During implementation and updates.

Contents: Access control system settings showing logging enabled.

Collection: Capture screenshots.

Training Records

Format: PDF/XLS

Frequency: After training sessions.

Contents: Records of staff trained on access logging procedures.

Collection: Maintain training attendance sheets.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For PE.L2-3.10.4 ("Maintain audit logs of physical access"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe the physical security controls protecting CUI systems, including badge access, visitor management, physical access logging, and alternate work site requirements. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"PE.L2-3.10.4 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to maintain audit logs of physical access. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"PE.L2-3.10.4 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to maintain audit logs of physical access. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"PE.L2-3.10.4 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all physical locations where CUI is processed or stored
• Document physical access control mechanisms (badge readers, locks, cameras)
• Specify CUI area boundaries within each facility
• Ensure this control covers all systems within your defined CUI boundary where maintain audit logs of physical access applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Physical Protection Policy
📄 Badge access logs
📄 Visitor logs
📄 Alternate work site approval forms
📄 Evidence artifacts specific to PE.L2-3.10.4
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will physically inspect CUI areas, test badge access controls, review visitor logs, and verify that terminated employees' badges are deactivated promptly.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have an access control system installed at all secure entry points?

✅ YES → Proceed to Q2.

❌ NO → GAP: Install an access control system (e.g., card readers, biometric scanners). Timeline: 2 weeks.

Remediation:

Contact a vendor for installation and configuration.

Question 2: Is your access control system configured to log all access attempts?

✅ YES → Proceed to Q3.

❌ NO → GAP: Enable logging in your access control system. Timeline: 1 day.

Remediation:

Refer to the system's user manual or contact support.

Question 3: Are access logs stored securely and retained for at least 90 days?

✅ YES → Proceed to Q4.

❌ NO → GAP: Configure log storage and retention settings. Timeline: 1 day.

Remediation:

Use a secure, centralized storage solution.

Question 4: Do you regularly review access logs for suspicious activity?

✅ YES → Proceed to Q5.

❌ NO → GAP: Schedule regular log reviews. Timeline: 1 week.

Remediation:

Assign responsibility and create a review schedule.

Question 5: Can you produce audit logs and reports during an assessment?

✅ YES → Compliant.

❌ NO → GAP: Ensure logs are exportable and reports are generated. Timeline: 2 days.

Remediation:

Test log export and report generation functionality.

⚠️ Common Mistakes (What Auditors Flag)

1. Logs are not retained for the required duration.

Why this happens: Retention settings are not configured correctly.

How to avoid: Verify retention policies and test log storage.

2. Failed access attempts are not logged.

Why this happens: System is not configured to log failed attempts.

How to avoid: Enable logging for all access attempts.

3. Logs are not reviewed regularly.

Why this happens: No process or responsibility assigned for log reviews.

How to avoid: Create a log review schedule and assign responsibility.

4. Logs are stored in an insecure location.

Why this happens: Storage location is not properly secured.

How to avoid: Use a secure, centralized storage solution with restricted access.

5. Logs are incomplete or missing critical details.

Why this happens: Access control system is not configured correctly.

How to avoid: Verify logging settings and test log outputs.

📚 Parent Policy

This practice is governed by the Physical Protection Policy

View PE Policy →

📚 Related Controls

PE.L2-3.10.1 - Limit physical access to facilities. PE.L2-3.10.2 - Escort visitors and monitor visitor activity. PE.L2-3.10.3 - Maintain physical access logs for CUI storage areas.