This entry is the second Practice within the Physical Protection (PE) Domain and the Capability, Limit Physical Access.  This Practice, PE.1.132 – Escort Visitors and Monitor Visitor Activity, aligns with the prior one, PE.1.131, Limiting physical access to organizational information systems and, again, is pretty straight forward.  Essentially, to meet compliance with this Practice, an organization must ensure visitors are escorted within the facility and that they are wearing a visitor badge.  An audit log monitors any and all visitor activity.  The information below is pulled from the CMMC Appendix B (Page B-150 or Page 190 in the PDF).

Discussion from source: draft NIST SP 800-171-R2
Individuals with permanent physical access authorization credentials are not considered visitors.  Audit logs can be used to monitor visitor activity.

CMMC clarification 

Do not allow visitors, even those people you know well, to walk around your facility without an escort. Make sure that all non-employees wear special visitor badges and/or are escorted by an employee at all times while on your property.


Coming back from a meeting, you see the friend of a coworker walking down the hallway near your office. You know this person well and trust them, but are not sure why they are in the building. You stopped to talk, and the person explains that they are supposed to meet the coworker for lunch, but cannot remember where the lunchroom is. You offer to walk the person back to the reception area to get a visitor badge and wait until someone can escort them to the lunch room. You report this incident, and the company decides to install a badge reader at the main door so visitors cannot enter without an escort.

In the next entry, we will cover the third Practice within this Limit Physical Access Capability, PE.1.133, Maintain Audit Logs of Physical Access.

Until then…

Mark Lupo, MBCP, SMP