PE.L2-3.10.5: Manage Physical Access Devices
Physical access devices like badges, keycards, and biometric readers are your first line of defense against unauthorized facility access. CMMC Level 2 requires you to implement controls that track, manage, and maintain these devices to prevent CUI exposure. This control ensures your organization maintains visibility and accountability over who can physically enter sensitive areas.
What this means
This control requires organizations to establish and maintain processes for controlling physical access devices used to manage facility entry. You must document all access devices, monitor their usage, implement accountability measures for device distribution and return, and ensure devices are properly maintained and secured. This includes managing keycards, badges, biometric readers, and other authentication mechanisms that control movement into areas containing controlled unclassified information (CUI).
How to comply
- 1.Create an inventory of all physical access devices across your organization with make, model, and location details
- 2.Establish a process for issuing access devices with documented authorization and recipient acknowledgment
- 3.Implement logging mechanisms to track device usage and facility access attempts
- 4.Define procedures for retrieving and deactivating access devices when employees are terminated or reassigned
- 5.Conduct periodic audits of active access devices and compare against current authorized users
- 6.Maintain accountability records showing who issued, received, and manages each device
- 7.Test and maintain access devices regularly to ensure they function properly and securely
- 8.Document all access device configuration changes and security updates
Evidence auditors look for
- Access device inventory spreadsheet with device ID, type, location, and assigned user
- Access device request and approval forms signed by management
- Access logs or audit trails showing who used devices and when
- Device deactivation records for terminated or transferred employees
- Quarterly access device audit reports comparing inventory to active authorization list
- Device maintenance and security patch logs
- Device configuration documentation and change records
- Training records showing employees understand access device security requirements
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates physical access device inventory tracking and links device assignments to user lifecycle events, eliminating manual reconciliation and ensuring deactivation happens when employees leave.
See how GRCWatch handles this control automatically
Start free trial