Controlling and managing physical access devices—card readers, door controllers, biometric scanners, and smart locks—is a core requirement under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (PE.L2-3.10.5); this post provides a practical Compliance Framework checklist, technical controls, and small-business examples to help you meet that control with observable evidence and repeatable processes.
Requirement (PE.L2-3.10.5)
This control requires organizations to control and manage physical access devices to prevent unauthorized use, modification, or removal of devices that enforce physical access. For Compliance Framework purposes, you must demonstrate an inventory, secure configuration, lifecycle management, logging and monitoring, and procedural controls for device provisioning, maintenance, and decommissioning.
Key Objectives
The key objectives are: 1) identify and maintain an authoritative inventory of all physical access devices attached to your environment; 2) ensure device integrity and secure communications (e.g., encrypted channels, authenticated management); 3) implement access controls for device administration; 4) retain and review logs of administrative and access events; and 5) apply lifecycle policies (procurement, patching, decommissioning) with change control and evidence trails.
Implementation Notes (practical, Compliance Framework–specific)
Start with a Configuration Management Database (CMDB) or a simple asset spreadsheet listing device type, serial, model, firmware, management IP/MAC, location, vendor support contract, and responsible owner. For networked devices prefer secure protocols: use OSDP (Open Supervised Device Protocol) with secure channel for controller-to-reader connections rather than unencrypted Wiegand; require TLS 1.2+ for IP controllers and web/REST management interfaces; use SNMPv3 if monitoring is needed. Isolate controllers on a management VLAN with firewall rules to limit management ports to an admin jump host or VPN, and require MFA for any console or cloud portal logins. Ensure NTP synchronization for accurate logs and forward device logs to a centralized syslog/SIEM with retention that meets your evidence requirements.
Implementation Checklist (actionable items and evidence)
Checklist items (each must map to objective and provide evidence): 1) Inventory: CMDB export or spreadsheet with timestamps and signatures; 2) Secure configuration: configuration snapshots showing disabled default accounts and changed passwords, evidence of TLS/OSDP usage; 3) Network controls: VLAN/firewall rules, and switch port configs that show isolation of device management traffic; 4) Administrative controls: RBAC screenshots, MFA enforcement logs, and an access approval ticket trail; 5) Logging: syslog forwarding configuration, SIEM ingests, and a sample audit log of device admin events; 6) Patch and firmware management: vendor patch schedule, test-change tickets, and firmware update records; 7) Decommissioning: asset disposition forms showing sanitization and physical disposal; 8) Contracts: vendor support/SLA or DoD-friendly terms where applicable.
Real-world Examples and Scenarios for a Small Business
Example A — Small engineering firm in a single building: Use a cloud-managed access control system that supports OSDP and central logging; maintain an asset spreadsheet and a monthly backup of access control configs (downloaded JSON/XML) stored in the firm’s encrypted file server; restrict management to the office IT team's VPN and require Azure AD SAML + MFA for the vendor portal. Example B — Small manufacturer with multiple doors: Put door controllers on a dedicated VLAN, configure the switch so controllers can only communicate with the vendor cloud or on-prem management host, enable tamper switches on critical readers, and keep a paper backup of master keys and a sealed chain-of-custody log for credential issuance and revocation.
Compliance Tips and Best Practices
Prioritize the following: replace or mitigate legacy Wiegand links (use protocol converters to OSDP or encapsulate over secure VPN), change default credentials during commissioning and store secrets in an enterprise password manager, configure role-based admin accounts and avoid shared credentials, schedule quarterly reviews of the inventory and annual firmware risk assessments, and integrate physical access logs into your incident response runbooks. For low-budget organizations, choose cloud-managed systems with built-in logging and well-documented APIs to export evidence—just ensure vendor SLAs and data handling meet DoD and CUI requirements.
Risk of Not Implementing the Requirement
Failing to properly control and manage physical access devices increases the risk of unauthorized entry to facilities hosting Controlled Unclassified Information (CUI), tampering with controllers to escalate privileges, credential cloning, and supply-chain risks from unpatched device firmware. Non-compliance can lead to lost contracts, notifications or remediation demands from prime contractors or the DoD, reputational damage, and direct operational impacts such as theft or sabotage.
Summary
To meet PE.L2-3.10.5 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2, build a checklist that maps inventory, secure protocols, RBAC and MFA for admin access, logging and centralization, patching and lifecycle controls, and documented procedures for provisioning and decommissioning—each with concrete evidence artifacts. Begin with an accurate CMDB, apply secure protocols (OSDP/TLS/SNMPv3), isolate and monitor devices on the network, enforce change control, and integrate logs into your SIEM and incident response playbooks to produce auditable, repeatable compliance proof for auditors and primes.
