CMMC 2.0 PE.L1-3.10.5 (NIST 800-171r2 3.10.5) requires that organizations manage physical access devices — keys, badges, and tokens — that control entry to FCI-processing areas. An untracked badge issued to a former employee, or a lost key with no revocation procedure, creates an indefinite physical access risk with no audit trail. Physical device management is a procedural control that cannot be evaluated through code inspection but is a required evidence item during any CMMC formal assessment.
Low severity because physical device management is always skipped in code audits — it becomes a higher-severity finding if device revocation failures are discovered during physical assessment.
Document your physical access device management procedures in SECURITY.md. Assessors look for inventory, issuance, and revocation procedures:
## Physical Access Devices (PE.L1-3.10.5)
- Badge and key inventory maintained and reviewed quarterly
- Devices issued only after background check approval; recorded in access registry
- Departing employees: badge deactivated and key retrieved on last working day
- Lost or stolen devices: reported to security within 4 hours; deactivated immediately
- Spare devices stored in locked cabinet accessible to facility manager only
Tie device issuance and revocation to your HR offboarding checklist — the most common failure mode is delay between employment termination and badge deactivation.
ID: gov-cmmc-level-1.physical-protection.physical-devices
Severity: low
CMMC Practice: PE.L1-3.10.5
What to look for: This check evaluates physical facility controls that cannot be verified through code analysis and is automatically skipped. Count all physical device management references in documentation. Full CMMC Level 1 compliance requires at least 1 device management procedure covering: inventory of physical access devices (keys, badges, tokens), procedures for issuing and revoking devices, and processes for handling lost or stolen devices.
Pass criteria: This check is automatically skipped because physical facility controls cannot be verified through code inspection alone. If physical security documentation exists, at least 1 reference to device management procedures is present. Report even on skip: "Physical device management documentation status: [present/absent]."
Fail criteria: This check cannot fail through code inspection — it is automatically skipped. Physical facility inspection is required for PE.L1-3.10.5 compliance. Example: "PE.L1-3.10.5 cannot be evaluated through code — requires physical site audit"
Skip (N/A) when: ALWAYS — this check evaluates physical facility controls that cannot be verified through code inspection.
Detail on skip: "Physical protection practice PE.L1-3.10.5 — control and manage physical access devices. Outside scope of code-level audit. Assess through physical facility inspection."
Remediation: Document your device management procedures in SECURITY.md:
## Physical Access Devices
- Badge inventory reviewed quarterly
- Lost/stolen badges deactivated within 24 hours