CMMC, NIST SP 800-171, Physical Access Device

Control and Manage Physical Access Devices – NIST SP 800-171 & CMMC 2.0

How do you meet the security requirement 3.10.5 “Control and manage physical access devices”?

Join our newsletter:

Requirement 3.10.5: Control and manage physical access devices

What is a Physical Access Device?

A physical access device refers to objects such as traditional keys used to unlock doors, and RFID key cards/fobs. Physical access devices grant access to locked doors. Something like a YubiKey or a DoD Common Access Card (CAC) may also be a physical access device even though they also provide access to computer systems. The key concept to grasp is that anything that unlocks a door or provides access to a location is a physical access device.

How do you Control Physical Access Devices?

When personnel no longer require extended access to your facility then you should take or disable their physical access device. As part of your onboarding process, have terminated personnel return their keys or RFID cards.
If someone loses their RFID card you should disable it. If they lose a traditional key, you should change the lock to the doors where the key is used.

How do you Manage Physical Access Devices?

To manage physical access devices, you should first create an inventory of them. RFID cards and traditional keys often have serial numbers associated with them. Document these serial numbers and the personnel the keys were assigned to. You should also document what areas of your facility these keys grant access to. It is also a clever idea to document when you provided the physical access device to the person and when they turned it back in.


In summary a physical access device is any device used to provide access to your facility. This can include traditional keys and key fobs. You should only give physical access devices to personnel who are authorized to have extended access to your facility. You should take back physical access devices from terminated personnel and maintain an inventory of them.

Discover Our Cybersecurity Complaince Solutions:


NIST SP 800-171 & CMMC Compliance

Whether you need to meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements, help your clients meet them, or verify sub-contractor compliance we have the expertise and solution for you.

HIPAA Compliance

Whether you need to meet and maintain your HIPAA compliance requirements or help your clients meet them we have the expertise and solution for you.