How long do you keep visitor logs and access control records for a facility that handles classified information?
Visitor logs and access control records for facilities that handle classified information are physical-security records, not the classified material itself. Their retention is generally short to moderate, but the exact period depends on the schedule that governs the record series and on any active investigations, audits, or legal holds.
What drives the retention period
Three things typically determine how long these records are kept:
- The applicable records schedule. For most federal agencies, common administrative and facility-security records are covered by government-wide schedules. Many routine physical-access and visitor records carry retention periods measured in a small number of years, after which they are eligible for destruction.
- Security and accountability needs. Access logs support audits, incident response, and counterintelligence reviews. The retention must be long enough to reconstruct who entered a controlled space during a relevant window.
- Contract, statute, or agency policy. Cleared contractor facilities follow the security requirements imposed on them (for example, through their facility security program), which may set their own minimum retention for entry and visitor records.
Because these periods vary by record type and by organization, treat any single “number of years” with caution. The governing schedule and your security policy are the authoritative answer for your specific records.
Practical guidance
- Identify the exact record series. “Visitor log” and “badge/access-control record” may be separate series with different retention periods.
- Distinguish the log from the classified context. The log is usually unclassified, but it can reveal sensitive patterns, so handle and dispose of it per your security policy even when its retention is short.
- Apply legal holds. If an investigation, audit, FOIA request, or litigation is foreseeable, suspend destruction until the hold is lifted, regardless of the normal cutoff.
- Destroy on schedule and document it. Over-retention creates needless risk; under-retention can violate accountability rules. Record the disposition.
For background on government-wide schedules and the oversight framework for classified national security information, see the declassification topic hub.
The bottom line: confirm the governing schedule and your facility’s security policy, factor in any holds, and dispose only when both clear the record for destruction.
Sources & further reading
Authoritative government and non-profit references.
- General Records Schedules — National Archives (NARA)
- Information Security Oversight Office (ISOO) — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). How long do you keep visitor logs and access control records for a facility that handles classified information?. Records Management University. https://www.recordsmgmt.org/questions/how-long-keep-visitor-logs-and-access-records-for-classified-facility/
MLA
RM University Editorial. "How long do you keep visitor logs and access control records for a facility that handles classified information?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-long-keep-visitor-logs-and-access-records-for-classified-facility/.
Related questions
- Can a hospital or research university hold classified records, and how do FCL and HIPAA rules interact?
- Can a law firm representing a government client retain classified discovery, and who declassifies it after the case?
- Can a multinational company use ISO 15489 as a single recordkeeping standard across all of its countries?
- Can a private citizen request that a specific classified record be declassified?
- Can AI and machine learning reliably assist with declassification review of classified records?