This post explains how to implement an audit-ready physical access devices program to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PE.L2-3.10.5, with a practical checklist, technical specifics, small-business scenarios, and the types of evidence auditors expect.
Key objectives and high-level requirements
PE.L2-3.10.5 requires organizations to control physical access devices so only authorized personnel can gain physical entry to areas where Controlled Unclassified Information (CUI) or other sensitive assets are stored or processed; the Compliance Framework requires documented policies, an inventory, lifecycle controls for devices (badges, readers, keys, PIV/CAC, mobile credentials), procedures for provisioning and deprovisioning, secure communications between readers and controllers, and retention of access evidence for audits.
Implementation checklist — step-by-step
1) Inventory and classification
Start by building a definitive inventory of all physical access devices and related components: badge types (proximity, MIFARE DESFire, PIV), readers (Wiegand vs OSDP-capable), controllers, door locks (maglocks, electrified strikes), keys, biometric scanners, and mobile credential services. Capture asset identifiers, firmware versions, location, responsible owner, and whether the device protects CUI. Maintain this inventory in a CMDB or spreadsheet with change history for audit evidence.
2) Enrollment, provisioning and deprovisioning procedures
Document and implement enrollment workflows: identity proofing steps, role-based access profiles, least-privilege assignment, and time-bound credentials for contractors. Implement a single authoritative process (HR/IDPS ticket) for onboarding and an automated deprovisioning workflow triggered by HR or IAM events. Maintain issuance logs with timestamps, approver names, and serial numbers of issued badges or keys; these logs are frequently requested during audits.
3) Secure communications, cryptography and technical controls
Use modern secure protocols: prefer OSDP Secure Channel for reader-to-controller communication over legacy unencrypted Wiegand; enforce TLS 1.2/1.3 for cloud controllers and mobile credential APIs. Require encrypted credentials (e.g., DESFire EV2/EV3 or PIV certificates) rather than raw proximity numbers. Maintain key-management procedures for symmetric keys (secure storage, rotation schedule) or PKI for certificate-based credentials; record firmware versions and apply security patches on a regular schedule with documented change tickets.
4) Monitoring, logging, and evidence collection
Integrate access logs into a centralized logging solution or SIEM; capture reader events, door open/close, forced-entry/tamper alarms, and admin console access. Define retention policies—practical small-business defaults are 90–365 days for access logs and 30–90 days for CCTV, but align with contract requirements and organizational retention policies. Produce regular (monthly/quarterly) access reviews with documented remediation actions and store copies of review reports, CCTV extracts for incidents, ticket references, and signed SOPs for auditors.
Real-world examples and small-business scenarios
Example 1: A 70-employee engineering firm storing CUI in a locked lab implements proximity badges with time-of-day restrictions, an enrollment kiosk backed by ID checks, and automated deprovisioning linked to HR termination events—evidence includes badge issuance spreadsheets, HR ticket IDs, and monthly access-review emails. Example 2: A small DoD subcontractor uses cloud-based PACS (e.g., Kisi/Brivo) and integrates with Azure AD via SAML/SCIM for provisioning; they maintain firmware update logs, OSDP-capable readers for secure comms, and retain logs in a cloud SIEM for 12 months to satisfy prime contractor audits.
Compliance tips, best practices and risks of not implementing
Best practices: adopt least privilege and role-based physical access; implement multi-factor physical controls for high-risk areas (badge + PIN or biometric); use tamper-evident labeling and serial-numbered credentials; test deprovisioning monthly with sample audit queries; and run tabletop incident response exercises involving lost/stolen badges. Risk of non-compliance: unauthorized access, exfil of CUI, contract breaches, audit findings, financial penalties, and loss of future government contracts—plus real-world consequences such as adversary lateral movement after physical entry.
Audit evidence and show-me artifacts
Prepare these artifacts before the auditor asks: the device inventory with change history, SOPs for provisioning/deprovisioning signed by leadership, badge issuance/deactivation logs with approver names, firmware and patch logs, access logs exported for requested date ranges, CCTV clips for incident samples, key-management documents (rotation and escrow), and sample incident tickets showing investigation and remediation. Also include periodic access review reports and training records for staff who manage physical access.
Summary: By implementing a controlled lifecycle for physical access devices—inventory, secure enrollment, secure communications, logging, periodic review, and documented evidence—you can meet PE.L2-3.10.5 requirements under the Compliance Framework and be prepared for audits; start with a prioritized inventory and automated deprovisioning to reduce the largest real-world risk: stale credentials that grant unwanted access.
