• Requirement

    Control and manage physical access devices.

  • Discussion

    Physical access devices include keys, locks, combinations, and card readers.

More Info

  • Title

    Manage Physical Access (CUI)
  • Domain

    Physical Protection
  • CMMC Level

  • Further Discussion

    Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as important as monitoring and limiting who is able to physically access certain equipment. Physical access devices are only strong protection if you know who has them and what access they allow. Physical access devices can be managed using manual or automatic processes such a list of who is assigned what key, or updating the badge access system as personnel change roles.


    You are a facility manager. A team member retired today and returns their company keys to you. The project on which they were working requires access to areas that contain equipment with CUI. You receive the keys, check your electronic records against the serial numbers on the keys to ensure all have been returned, and mark each key returned [c].

    Potential Assessment Considerations

    • Are lists or inventories of physical access devices maintained (e.g., keys, facility badges, key cards) [a]?
    • Is access to physical access devices limited (e.g., granted to, and accessible only by, authorized individuals) [b]?
    • Are physical access devices managed (e.g., revoking key card access when necessary, changing locks as needed, maintaining access control devices and systems) [c]?

NIST 800-171A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!