Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - PE.L2-3.10.5 – Control and manage physical access devices.
Understanding the Requirement
This control from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 requires organizations to identify, control, and manage all physical access devices (keys, key cards, PINs, smart cards, etc.) so that only authorized personnel have persistent access to facilities. The objectives are to ensure that every physical access device is inventoried and tracked, that issuance is limited to people with a business need, and that devices are promptly reclaimed or disabled when no longer required. In practice this means having a policy for issuance and return, a maintained inventory, and procedures to change or revoke credentials when roles change or staff depart.
Technical Implementation
- Create and maintain a physical access device inventory: Record every key, card, PIN, and smart device with a unique identifier, assigned holder, issue date, issuing authority, and expected return date. Store this inventory in a central, access-controlled spreadsheet or an entry in your access control system.
- Formalize issuance procedures: Require written or electronic approval (manager + facilities/HR) before issuing permanent or long-term devices. Label devices with asset tags and assign a custodian responsible for tracking issuance and returns.
- Integrate HR and facilities workflows: Tie badge/key issuance and revocation to HR events (hire, transfer, termination). Implement an automated or documented notification path so access devices are disabled or collected the same day an employee’s access is revoked.
- Deprovision promptly and securely: When access is no longer required, collect keys/cards or immediately disable them in the access control system. For shared PINs or combination locks, change combinations on a defined schedule and after known exposures (e.g., after employee departure or lost device).
- Secure storage and handling: Store spare keys, master cards, and programming tools in a locked container with restricted access. Limit who can clone or program cards to specific staff and require two-person control for access to master keys.
- Audit and test regularly: Perform quarterly reconciliations of the inventory against issued devices and physical checks of sensitive areas. Log all issuance and revocation actions and review logs monthly to detect anomalies (e.g., repeated reissues, unexplained missing devices).
Example in a Small or Medium Business
Acme Solutions is a 60-person engineering firm that stores sensitive client documentation in a locked server room and has a single public entrance with badge readers. They create a simple policy: only staff with a documented business need get permanent cards, and managers must approve issuance through HR. The office manager maintains a secure spreadsheet listing every card by serial number, assigned employee, issue date, and status; cards are labeled with non-sensitive asset tags. When someone resigns or is terminated HR sends an automatic “revocation” email to the office manager and IT, who disables the badge in the access control system the same day and requests physical card return. If a badge is lost, the employee reports it, the badge is disabled immediately, and a replacement is issued after identity verification; the lost badge is recorded and flagged for follow-up. Server-room access uses a separate key-card and a numeric code for one lock; when access requirements change or a code exposure is suspected the facilities lead changes the code and updates the inventory. Every quarter the office manager runs a reconciliation between the inventory and the hardware on hand, and the results are reviewed with IT and HR to ensure accountability and timely corrective actions.
Summary
By combining a clear policy for issuance and return with technical controls (inventory, access control system disablement, asset labeling) and integrated HR/facilities workflows, SMBs can ensure physical access devices are identified, controlled, and managed. Regular audits, prompt deprovisioning on role changes, and secure storage of master devices close the loop — reducing the risk that lost, stolen, or orphaned keys and cards allow unauthorized facility access.
