PE.L2-3.10.5: Control and manage physical access devices

📖 What This Means

This control requires organizations to properly manage physical access devices like key cards, badges, and biometric scanners that protect areas where Controlled Unclassified Information (CUI) is stored or processed. It means ensuring only authorized personnel have access, tracking who enters secure areas, and regularly reviewing access permissions. For example, a defense contractor might use badge readers at server room entrances and maintain logs of all badge swipes. Another example would be deactivating a lost key card within 24 hours to prevent unauthorized access. The goal is to prevent physical breaches that could compromise sensitive data.

🎯 Why It Matters

Uncontrolled physical access devices create significant security risks. A 2021 Verizon report found that 21% of data breaches involved physical security failures. In one real incident, an unauthorized individual gained access to a defense contractor's facility using a stolen badge, resulting in $500,000 in equipment theft and CUI exposure. The DoD prioritizes this control because physical access breaches can bypass all digital security measures. Proper management of access devices prevents tailgating, unauthorized entry, and makes it easier to investigate security incidents. The average cost of a physical security breach in the defense sector exceeds $300,000 when considering investigation, remediation, and potential contract impacts.

✅ How to Implement

1. For cloud data centers: Require your CSP to provide SOC 2 Type II reports showing their physical access controls
2. Implement multi-factor authentication for physical access to any on-premise equipment connecting to cloud systems
3. Maintain an access control matrix showing which personnel can enter server rooms with cloud access points
4. Configure cloud monitoring tools (like AWS GuardDuty) to alert when physical access patterns change
5. Document all physical access points to cloud-connected infrastructure in your system security plan

⏱️

Estimated Effort

Initial implementation: 40-60 hours (IT security staff). Ongoing: 4-8 hours monthly for reviews and maintenance. Skill level required: Basic physical security knowledge for implementation, intermediate for configuration.

📋 Evidence Examples

Physical Access Control Policy

Format: PDF/DOCX

Frequency: Annual review, update when systems change

Contents: Documented procedures for issuing, revoking, and auditing physical access devices

Collection: Export from document management system

Badge Inventory Report

Format: CSV/PDF

Frequency: Monthly

Contents: Current list of all active badges with assignment dates and access levels

Collection: Export from access control system

Access Log Samples

Format: CSV with screenshots

Frequency: Quarterly audits

Contents: 30 days of entry/exit logs showing date, time, location, and badge ID

Collection: System export with verification of log integrity

Badge Deactivation Records

Format: Ticket system logs

Frequency: Per incident

Contents: Documentation of lost/stolen badge reports and timely deactivation

Collection: Extract from help desk system

Access Control System Configuration

Format: Screenshots + text export

Frequency: After configuration changes

Contents: Settings showing authentication requirements and log retention periods

Collection: Admin console exports

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For PE.L2-3.10.5 ("Control and manage physical access devices"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe the physical security controls protecting CUI systems, including badge access, visitor management, physical access logging, and alternate work site requirements. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"PE.L2-3.10.5 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to control and manage physical access devices. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"PE.L2-3.10.5 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to control and manage physical access devices. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"PE.L2-3.10.5 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all physical locations where CUI is processed or stored
• Document physical access control mechanisms (badge readers, locks, cameras)
• Specify CUI area boundaries within each facility
• Ensure this control covers all systems within your defined CUI boundary where control and manage physical access devices applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Physical Protection Policy
📄 Badge access logs
📄 Visitor logs
📄 Alternate work site approval forms
📄 Evidence artifacts specific to PE.L2-3.10.5
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will physically inspect CUI areas, test badge access controls, review visitor logs, and verify that terminated employees' badges are deactivated promptly.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do we maintain a complete inventory of all physical access devices?

✅ YES → Proceed to Q2

❌ NO → GAP: Create device inventory within 2 weeks. Start with facility walkthrough and system reports.

Remediation:

Template available in NIST SP 800-53 Appendix F

Question 2: Is there a documented process to deactivate lost/stolen badges within 4 business hours?

✅ YES → Proceed to Q3

❌ NO → GAP: Implement emergency deactivation procedure within 1 week. Train HR and security staff.

Remediation:

Sample procedure: 1) Employee reports loss to security 2) Security verifies identity 3) System admin deactivates badge 4) Log incident

Question 3: Are access logs retained for at least 90 days and reviewed quarterly?

✅ YES → Proceed to Q4

❌ NO → GAP: Configure system logging immediately. Schedule first quarterly review within 30 days.

Remediation:

Most systems have auto-purge settings - verify they're set to 90+ days

Question 4: Are visitor access records maintained for all CUI areas?

✅ YES → Proceed to Q5

❌ NO → GAP: Implement visitor log system within 2 weeks. Paper logs acceptable if digitized monthly.

Remediation:

Minimum fields: Name, company, date, time in/out, escort name, purpose

Question 5: Have all physical access controls been tested within the last 6 months?

✅ YES → COMPLIANT

❌ NO → GAP: Schedule penetration test of physical controls within 30 days. Document results.

Remediation:

Test should include tailgating attempts and after-hours access trials

⚠️ Common Mistakes (What Auditors Flag)

1. Failing to document visitor access

Why this happens: Assuming escorted visitors don't need logging

How to avoid: Require all visitors to sign in, even when escorted. Use automated kiosks for efficiency.

2. Not testing badge deactivation

Why this happens: Assuming system works as configured

How to avoid: Quarterly tests: 1) Deactivate test badge 2) Verify access denial 3) Document results

3. Inconsistent access reviews

Why this happens: No calendar reminders for periodic reviews

How to avoid: Schedule recurring reviews in company calendar with multiple stakeholders

4. Poor badge custody tracking

Why this happens: No process for collecting badges from terminated employees

How to avoid: Add badge return to termination checklist. Have HR verify before final paycheck.

5. Inadequate log retention

Why this happens: Default system settings purge logs too quickly

How to avoid: Configure systems for 90+ day retention. Export logs monthly for archival.

📚 Parent Policy

This practice is governed by the Physical Protection Policy

View PE Policy →

📚 Related Controls

PE.L2-3.10.1 (Physical access authorization) PE.L2-3.10.3 (Escort visitors) PE.L2-3.10.4 (Maintain access logs) IA.L2-3.5.3 (Device identification and authentication)