>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PE-8Visitor Access Records

LI-SaaS
Low
Moderate
High

>Control Description

a

Maintain visitor access records to the facility where the system resides for organization-defined time period;

b

Review visitor access records organization-defined frequency; and

c

Report anomalies in visitor access records to organization-defined personnel.

>FedRAMP Baseline Requirements

Parameter Values

a
for a minimum of one (1) year
b
at least monthly

>Discussion

Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.

>Cross-Framework Mappings

SCF

PES-03.3
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern visitor access to the facility and controlled areas?
  • How does the organization classify different types of visitors and define access requirements for each?
  • What is the process for advance approval and notification of visitor access?
  • How are visitor escort responsibilities assigned and documented?
  • What governance exists for reviewing visitor access logs and identifying unusual patterns?

Technical Implementation:

  • What systems technically track and record visitor access?
  • How are visitor badges or credentials managed and controlled?
  • What technical controls distinguish between visitor and employee access rights?
  • How are visitor access logs generated and retained?
  • What integration exists between visitor management and access control systems?

Evidence & Documentation:

  • Provide visitor access procedures and forms used for visitor authorization.
  • Provide visitor access logs for the past 90 days.
  • Provide evidence of visitor escort assignments and tracking.
  • Provide documentation of visitor badge issuance and return processes.
  • Provide records of any visitor access violations or incidents.

Ask AI

Configure your API key to use AI features.