- Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period];
- Review visitor access records [Assignment: organization-defined frequency]; and
- Report anomalies in visitor access records to [Assignment: organization-defined personnel].
Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.
Maintain and review visitor access records using [Assignment: organization-defined automated mechanisms].
Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements].