Physical access devices managed

ab-001562 · gov-cmmc-level-1.physical-protection.physical-devices

Severity: lowactive

Why it matters

CMMC 2.0 PE.L1-3.10.5 (NIST 800-171r2 3.10.5) requires that organizations manage physical access devices — keys, badges, and tokens — that control entry to FCI-processing areas. An untracked badge issued to a former employee, or a lost key with no revocation procedure, creates an indefinite physical access risk with no audit trail. Physical device management is a procedural control that cannot be evaluated through code inspection but is a required evidence item during any CMMC formal assessment.

Severity rationale

Low severity because physical device management is always skipped in code audits — it becomes a higher-severity finding if device revocation failures are discovered during physical assessment.

Remediation

Document your physical access device management procedures in SECURITY.md. Assessors look for inventory, issuance, and revocation procedures:

## Physical Access Devices (PE.L1-3.10.5)
- Badge and key inventory maintained and reviewed quarterly
- Devices issued only after background check approval; recorded in access registry
- Departing employees: badge deactivated and key retrieved on last working day
- Lost or stolen devices: reported to security within 4 hours; deactivated immediately
- Spare devices stored in locked cabinet accessible to facility manager only

Tie device issuance and revocation to your HR offboarding checklist — the most common failure mode is delay between employment termination and badge deactivation.

Detection

ID: physical-devices
Severity: low
CMMC Practice: PE.L1-3.10.5
What to look for: This check evaluates physical facility controls that cannot be verified through code analysis and is automatically skipped. Count all physical device management references in documentation. Full CMMC Level 1 compliance requires at least 1 device management procedure covering: inventory of physical access devices (keys, badges, tokens), procedures for issuing and revoking devices, and processes for handling lost or stolen devices.
Pass criteria: This check is automatically skipped because physical facility controls cannot be verified through code inspection alone. If physical security documentation exists, at least 1 reference to device management procedures is present. Report even on skip: "Physical device management documentation status: [present/absent]."
Fail criteria: This check cannot fail through code inspection — it is automatically skipped. Physical facility inspection is required for PE.L1-3.10.5 compliance. Example: "PE.L1-3.10.5 cannot be evaluated through code — requires physical site audit"
Skip (N/A) when: ALWAYS — this check evaluates physical facility controls that cannot be verified through code inspection.
Detail on skip: "Physical protection practice PE.L1-3.10.5 — control and manage physical access devices. Outside scope of code-level audit. Assess through physical facility inspection."

Remediation: Document your device management procedures in SECURITY.md:

## Physical Access Devices
- Badge inventory reviewed quarterly
- Lost/stolen badges deactivated within 24 hours

External references

cmmc:2.0 · PE.L1-3.10.5 — Manage Physical Access Devices
nist:rev2 · SP-800-171 3.10.5 — Control and manage physical access devices

Taxons

regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from gov-cmmc-level-1·automated