CMMC Level 2 Practice 3.10.5: Control and manage physical access devices

CMMC Level 2 Practice 3.10.5 requires you to control and manage physical access devices (badges, keys, fobs, smart cards, and similar) so only authorized people can access spaces that store or process CUI. To operationalize it fast, build an inventory, define issuance and retrieval workflows, log changes, and retain evidence that devices are tracked, revoked, and periodically reviewed. ¹

Key takeaways:

• Keep a complete inventory of physical access devices mapped to people, locations, and authorization status. ¹
• Prove operations with logs: issuance, changes, revocation, loss/theft handling, and periodic reviews. ¹
• Scope matters: apply the control to all facilities and areas in the CUI environment boundary defined for CMMC Level 2. ²

For most CMMC Level 2 programs, physical access controls fail in predictable ways: unmanaged spare keys, badge access that lingers after termination, and “temporary” visitor badges that never get reconciled. Practice 3.10.5 addresses a narrow but high-impact slice of that problem: the physical access devices that grant entry to controlled areas.

This requirement is practical. Assessors will look for a coherent system that answers three questions with evidence: (1) what devices exist, (2) who has them and why, and (3) how you disable or recover them when access should end. “Control and manage” is not satisfied by a policy alone; you need operational workflows and records that show the workflows run as designed. ¹

If you are a Compliance Officer, CCO, or GRC lead, your fastest path is to treat 3.10.5 like an access lifecycle control: inventory, authorize, issue, track, revoke, and review. Then map those motions to your CUI boundary and retain assessor-ready artifacts. ²

Regulatory text

Excerpt (as provided): “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.10.5 (Control and manage physical access devices).” ¹

Operator meaning: You must maintain control over the “things that open doors” to areas that store, process, or transmit CUI. That includes issuing devices only to authorized individuals, tracking devices throughout their lifecycle, and promptly disabling/recovering devices when no longer needed. Your goal is to prevent unauthorized physical access by ensuring physical access devices are not unaccounted for, shared without approval, or active after someone’s authorization ends. ¹

Where it sits in the program: CMMC Level 2 aligns to NIST SP 800-171 Rev. 2 practices, and assessment expectations flow from the CMMC program structure in 32 CFR Part 170 and DoD program guidance. ^{3 2}

Plain-English interpretation (what an assessor expects you to be able to prove)

You can satisfy 3.10.5 if you can show, with repeatable evidence, that:

• You know every physical access device that can get someone into a controlled area.
• Every device is assigned to a specific person (or controlled pool) with a defined approval.
• Device changes are tracked (issued, replaced, disabled, returned).
• Offboarding, role change, loss/theft, and contractor end-dates trigger revocation and recovery.
• You periodically reconcile devices against HR rosters and access lists. ¹

Who it applies to (entity and operational context)

Entities: Defense contractors and federal contractors handling CUI that must meet CMMC Level 2 requirements. ²

Operational scope: Apply the practice to:

• Buildings, suites, labs, data centers, cages, rooms, and secure storage locations within your CUI boundary.
• Physical access devices that grant entry to those spaces, including:
  • Employee badges and smart cards
  • Keys (including master keys)
  • Fobs and proximity cards
  • Mechanical combinations or issued tokens for locks
  • Visitor badges if they grant access beyond escorted entry (treat as devices requiring control) ¹

Third parties: Include contractors, cleaning crews, and other third parties who receive keys/badges for after-hours access to CUI areas. Your control breaks if third-party access devices are “handled by Facilities” with no compliance trail. ¹

What you actually need to do (step-by-step)

1) Define the CUI physical boundary for this practice

• List the physical areas where CUI is stored/processed (rooms, cabinets, secure enclaves).
• Identify all entry points and the devices that control them (doors, gates, cages, lockboxes).
  Deliverable: “CUI Physical Areas & Entry Points Register.” ²

2) Build a physical access device inventory (the control’s backbone)

Create a single inventory (spreadsheet is acceptable if controlled) with:

• Device ID/serial (or unique internal ID)
• Device type (badge, key, fob)
• Holder (person + employee/contractor ID)
• Authorized areas/doors
• Issue date, expiration date (if used), return date
• Status (active, lost, stolen, disabled, returned, destroyed)
• Approver and ticket/reference (HR request, access request)
  Deliverable: “Physical Access Devices Inventory.” ¹

3) Formalize issuance (no device without an authorization trail)

• Require a documented request and approval to issue a device.
• Verify identity at issuance.
• Record acknowledgement of responsibilities (no sharing, loss reporting).
• For contractors, require start/end date alignment with the engagement.
  Deliverables: Access request form or ticket workflow, issuance log, signed acknowledgement (digital is fine). ¹

4) Control changes: replacement, re-badging, and re-keying

• Replacement due to damage: disable old device, issue new device, record linkage.
• Role change: adjust door groups and document approval.
• High-risk events (lost master key, compromised badge system): document incident and compensating actions (re-key, disable badge IDs).
  Deliverables: change tickets, updated inventory entries, door group reports. ¹

5) Offboarding and end-of-access (the failure point assessors probe)

Trigger events:

• Termination (voluntary/involuntary)
• Contract end
• Facility transfer
• Loss of need-to-know / authorization change

Required actions:

• Disable badge access promptly through your access control system.
• Recover devices (badge/key/fob) or document “not recovered” with risk response.
• Update inventory status and retain the deprovision record.
  Deliverables: HR termination feed evidence, offboarding checklist, badge deactivation report, inventory update. ¹

6) Run reconciliations and exception management

• Reconcile HR roster vs badge system users.
• Reconcile inventory vs actual devices issued/returned (spot checks).
• Resolve exceptions: “unknown holder,” “active badge for terminated employee,” “missing visitor badge.”
  Deliverables: reconciliation report, exception tickets, remediation evidence. ¹

7) Make evidence capture routine (so you are always assessment-ready)

Operationalize recurring evidence collection:

• Monthly snapshot of active badge holders for CUI areas
• Recent issuance/revocation tickets
• Inventory export showing status changes
• Report of lost/stolen devices and closure actions
  Daydream tip: Use Daydream to map 3.10.5 to your specific operating procedure and automatically request/collect recurring evidence from Facilities, HR, and Security without chasing emails. ²

Required evidence and artifacts to retain

Use this as your minimum evidence pack for 3.10.5:

• Physical Access Devices Inventory (current + historical changes)
• Access request/approval records (tickets or forms)
• Issuance records (who, what, when, by whom)
• Deactivation/revocation records (badge system logs or reports)
• Offboarding checklists showing device return or documented non-return
• Lost/stolen device reports and corrective actions
• Reconciliation reports and exception remediation tickets
• Written procedure describing device management lifecycle and roles/responsibilities ¹

Common exam/audit questions and hangups

Assessors commonly press on:

• Inventory completeness: “How do you know this is all keys and badges for CUI spaces?”
• Shared devices: “Do any keys or badges get shared across shifts? Where is that approved and tracked?”
• Timeliness of revocation: “Show a recent termination and the badge disable record.”
• Visitor handling: “Can a visitor badge open controlled doors? How do you reconcile visitor badges at day-end?”
• Third-party access: “Which third parties have after-hours devices and how do you remove access at contract end?” ¹

Frequent implementation mistakes (and how to avoid them)

• Mistake: Treating “Facilities has it” as a control.
  Fix: Put Facilities, Security, and HR into one workflow with a single source-of-truth inventory and ticket trail. ¹

• Mistake: No unique identifiers for keys.
  Fix: Tag keys (or key rings) with IDs and record issuance/return. For master keys, require stricter approval and storage controls. ¹

• Mistake: Badge access groups don’t match the CUI boundary.
  Fix: Map doors to “CUI areas,” then map badge groups to those doors, then map people to groups with approvals. ²

• Mistake: Relying on screenshots instead of system reports.
  Fix: Export access control logs/reports and store them with timestamps and context. Screenshots are fragile evidence. ¹

Risk implications (why this practice matters operationally)

If you cannot account for physical access devices, you cannot credibly claim controlled physical access to CUI areas. The practical risk is straightforward: a retained badge or untracked key can bypass your cyber controls by enabling direct access to endpoints, printers, file cabinets, or network ports inside the boundary. For CMMC Level 2, that becomes an assessment and contractual risk tied to the CMMC program requirements in 32 CFR Part 170 and DoD guidance. ^{3 2}

Practical 30/60/90-day execution plan

First 30 days (stabilize and scope)

• Confirm the CUI physical boundary and list controlled areas and doors. ²
• Pull current badge holder lists and key logs from Facilities/Security.
• Stand up a draft Physical Access Devices Inventory and assign an owner.
• Document an interim process: issuance, return, lost/stolen, and termination disable steps. ¹

Days 31–60 (operationalize lifecycle control)

• Implement a single intake path for access requests (ticketing or form with approval).
• Connect HR offboarding to automatic notifications for badge disable and device recovery tasks.
• Establish visitor device handling rules for controlled areas (escort, timeboxing, return).
• Start collecting recurring evidence (exports, tickets, reconciliations) into an assessment folder. ¹

Days 61–90 (prove repeatability)

• Run your first full reconciliation (HR roster vs badge users vs inventory) and close exceptions.
• Test two scenarios and retain evidence: termination and lost device.
• Review door group mappings against the CUI boundary; correct over-permissive access.
• Use Daydream to map 3.10.5 to your SOP and set scheduled evidence requests so the control stays “always ready.” ²

Frequently Asked Questions

Does 3.10.5 apply to mechanical keys, or only electronic badges?

It applies to physical access devices broadly, which includes keys and other devices that grant entry to controlled areas. Track keys the same way you track badges: inventory, issuance, return, and revocation status. ¹

We have shared keys for a lab. Is that automatically noncompliant?

Shared devices create accountability gaps, which assessors will question. If shared access is unavoidable, treat the key set as a controlled pool with formal checkout logs, defined approvers, and periodic reconciliation. ¹

What’s the minimum evidence to show “control and manage” during a CMMC assessment?

Bring the inventory plus a small set of real transactions: an issuance record, a role change record, and a termination or contract-end deactivation record. Add a reconciliation report showing you can detect and fix discrepancies. ¹

Do visitor badges need to be in the inventory?

If visitor badges can open doors into controlled areas, treat them as physical access devices and manage issuance/return and reconciliation. If visitors are always escorted and badges do not grant unescorted entry, document that design and keep the visitor log. ¹

Who should own this control: Security, Facilities, HR, or IT?

Assign one accountable control owner in GRC or Security, then document supporting roles for Facilities (keys/locks), Security (badge system), and HR (joiner/mover/leaver triggers). Assessors look for clear ownership and repeatable operations. ¹

How does this map to CMMC scoping and assessment expectations?

CMMC Level 2 assessments evaluate implementation of NIST SP 800-171 Rev. 2 practices within your defined CUI boundary. Keep your device management evidence aligned to the spaces and systems you’ve included in that boundary. ^{2 3}

Footnotes

1. NIST SP 800-171 Rev. 2

2. DoD CMMC Program Guidance

3. 32 CFR Part 170