comp-pe-3.10.5

Control and Manage Physical Access Devices

cmmc · framework · Production-ready

Drawn fromNIST SP 800-171 Rev. 3 · CMMC Level 2 Assessment Guide·Reviewed Apr 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runbatch-produce-substrate

1

Face 1 of 6 · WHAT

What is Control and Manage Physical Access Devices

CMMC practice PE.L2-3.10.5, drawn from NIST SP 800-171 Rev 2 requirement 3.10.5, mandates that organizations identify all physical access devices — including keys, key cards, proximity badges, PIN codes, biometric readers, and combination locks — used to control entry to facilities housing CUI or organizational systems. Organizations must control these devices by establishing formal issuance and return procedures, limiting distribution to authorized individuals, and ensuring no unaccounted copies or credentials exist. Management of these devices involves maintaining an inventory, performing periodic audits, promptly revoking access upon personnel changes or device loss, and documenting all device transactions. The practice applies to both electronic and mechanical access control mechanisms and requires that the entire device lifecycle — from procurement through decommissioning — be governed by policy. This requirement directly supports NIST SP 800-171 Security Requirement 3.10.5 and aligns with the broader Physical Protection domain objective of preventing unauthorized physical access to CUI environments.

Where it stops · what it isn't

—This practice does not govern logical/digital authentication mechanisms such as passwords, MFA tokens for IT systems, or network access credentials — those fall under Access Control (AC) domain practices.
—This practice does not address the installation or maintenance of physical security infrastructure such as fences, walls, or CCTV systems — those are covered under PE.L2-3.10.1 and PE.L2-3.10.2.
—This practice does not cover visitor management or escort procedures, which are addressed separately under PE.L2-3.10.3.
—This practice does not extend to protecting CUI in transit or during shipment — that falls under Media Protection (MP) domain practices.
—This practice does not define the authorization decisions for who receives access; it governs the devices used to enforce those decisions, not the access authorization policy itself.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

domain/physical-protection

REQUIRES

comp-pe-3.10.1

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.