CMMC Visitor Log Requirements: What CMMC Level 2 Actually Requires (and How to Meet It)
CMMC Level 2 doesn't ask for a fancy visitor system. It asks you to prove who had physical access to CUI, that they were escorted, and that the record can't be quietly edited. Here's exactly what the visitor-log requirement covers — and what assessment-ready evidence looks like.
Search “CMMC visitor log requirements” and you mostly find two things: consultants restating the control language, and the DoD's own assessment guide. Plenty of explanation of what the rule says — much less on how to actually produce a visitor record that survives an assessment. This post does both: the requirement in plain terms, then what defensible evidence looks like.
The short version
CMMC Level 2 (via NIST SP 800-171) requires you to limit and document physical access to CUI areas, escort visitors, and keep tamper-resistant audit logs you can produce on demand. A paper sign-in sheet technically logs — but it's hard to escort-document, easy to alter, and painful to reconstruct for an assessor. The real bar is a complete, time-stamped, immutable, retrievable record.
What CMMC actually requires for visitor logs
CMMC Level 2 incorporates the 110 controls of NIST SP 800-171. Four of them shape what your visitor log has to do:
- 3.10.1 — Limit physical access. Restrict access to systems, equipment, and the areas that hold CUI to authorized individuals. For visitors, that means access is a decision, not a default.
- 3.10.3 — Escort and monitor visitors. Visitors in controlled areas are escorted and their activity is monitored — and you can show it.
- 3.10.4 — Maintain audit logs of physical access. Keep a record of who physically accessed controlled areas and when.
- 3.3.x (Audit & Accountability). Audit records have to be created, protected from unauthorized change, retained, and reviewable.
DFARS 252.204-7012 makes NIST SP 800-171 contractual for covered defense information, and CMMC (32 CFR Part 170) is how that gets assessed. Importantly, none of this mandates a particular product — logs can be manual or electronic. What it does mandate is that the evidence holds up.
Why a paper logbook struggles to pass
A clipboard at the front desk answers one question — did this person sign in? It tends to go quiet on the questions an assessor actually asks:
- Who escorted the visitor, and what was the access decision? (3.10.3 wants that recorded.)
- Can the record be altered or lost after the fact? (3.3.x wants it protected and reviewable.)
- Can you reconstruct it across multiple sites and a multi-year retention window — quickly?
- Is the visitor's identity check and screening result tied to the same entry?
None of those are exotic. They're just hard to satisfy with paper and spreadsheets, which is why the gap between “we have a sign-in sheet” and “we can produce assessment-ready evidence” is where most visitor findings live.
From control to evidence
What “good” looks like
Capture identity, purpose, and authorized host at check-in — access is a decision, not a signature.
Time-stamp every entry at the database level, so the record is precise and not hand-written after the fact.
Record the escort and the access decision on the visit, satisfying the escort-and-monitor control with documentation.
Make the log append-only — entries can be added but not quietly edited or deleted.
Retain the evidence for your contract window and keep it retrievable, not boxed in a closet.
Produce an evidence pack on demand — the version an assessor or C3PAO can read without you rebuilding it.
Re-screen recurring vendors and contractors; a one-time check at first visit goes stale.
Where SecurePoint fits
SecurePoint Visitor is built around exactly this evidence problem. Every check-in, identity and sanctions screening result, escort, and access decision is written to an append-only audit log with database-level timestamps, actor, and site — records that can be added to but not quietly edited or deleted. Access is role-based and site-scoped, so a multi-site contractor's FSO can review visitor history across locations while each site keeps day-to-day control. And the whole thing exports as an audit-ready evidence pack in the formats assessors expect, with long-term retention for contracts that need it.
To be clear about scope: SecurePoint does not make you CMMC certified — certification is a C3PAO assessment against your full control set. SecurePoint produces the physical-access evidence for the visitor-facing Physical Protection controls. It is one defensible input to an assessment, not the certification, and it is not legal or assessment advice.
Frequently asked questions
Primary sources
- CMMC Level 2 Assessment Guide (DoD CIO)
- NIST SP 800-171 — Protecting Controlled Unclassified Information
- DFARS 252.204-7012 — Safeguarding Covered Defense Information
- 32 CFR Part 170 — Cybersecurity Maturity Model Certification (CMMC) Program
Control numbering and assessment guidance evolve across NIST SP 800-171 revisions and CMMC program updates. Verify the current requirements against the DoD and your contract before relying on them. This article is educational and is not legal or assessment advice.
Turn the front desk into assessment-ready evidence
See how SecurePoint produces immutable, time-stamped visitor logs, escort records, and exportable evidence packs mapped to CMMC Level 2 and DFARS 252.204-7012.
