NIST 800-53 REV 5 • PHYSICAL AND ENVIRONMENTAL PROTECTION

PE-8Visitor Access Records

Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }}; Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.

Practitioner Notes

You must maintain a log of all visitors to your facility, including who they visited, when they arrived and left, and their purpose. These records must be reviewed regularly and retained for a defined period.

Example 1: Maintain a visitor log — either a physical sign-in book or a digital visitor management system — that captures: visitor name, organization, person being visited, date, arrival time, departure time, badge number issued, and areas accessed. Review the log weekly for anomalies.

Example 2: Use a digital visitor management system that automatically timestamps entries and exits, stores records electronically, and generates reports. Retain records for at least one year (or longer if required by your contracts or regulations). Flag any visitor who did not properly check out for investigation.

More Physical and Environmental Protection Controls

PE-1 Policy and Procedures PE-2 Physical Access Authorizations PE-2(1) Access by Position or Role PE-2(2) Two Forms of Identification