This post gives a practical, step-by-step checklist and concrete implementation details to help you meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PE.L2-3.10.5 — Control and manage physical access devices — with real-world examples, low-cost options for small businesses, and clear evidence you can use for an SSP and POA&M.
What PE.L2-3.10.5 requires (objectives and scope)
At a high level, PE.L2-3.10.5 requires that organizations control, inventory, secure, and manage physical access devices (badge readers, biometric scanners, token dispensers, lock controllers, badge printers, spare keys/cards, and any IP-connected access devices) so that unauthorized physical access to Controlled Unclassified Information (CUI) and critical systems is prevented, detected, and auditable. For compliance you must demonstrate policies, operational procedures, device configuration baselines, lifecycle management (issuance, revocation, disposal), and monitoring/logging that together reduce risk of physical access compromise.
Practical step-by-step checklist (actionable items)
1) Inventory and assign ownership: Create a canonical inventory (CSV/CMDB) of every physical access device that includes model, serial, firmware, IP/MAC, physical location, controller ID, owner (person/team), installation date, and last firmware update. Example: "Server room door—HID EdgeReader 3000—Serial X—IP 10.10.10.22—Owner: Facilities." Evidence: inventory export and screenshot stored in your SSP.
2) Baseline and harden device configurations: For each device apply a configuration baseline: disable unused services (Telnet, UPnP), enable HTTPS/TLS 1.2+ for management, use certificate-based authentication where supported, change default admin accounts and passwords, restrict SSH to key-based auth and limit management access to a management VLAN and specific jump host IPs. Use SNMPv3 or disable SNMP; if syslog is available forward logs securely to your SIEM/syslog-ng on port 6514 (syslog over TLS).
Operational controls and lifecycle
3) Badge/token lifecycle and procedures: Document and enforce badge issuance, modification, suspension, and termination workflows tied into HR/offboarding. Maintain a signed request form for every issued badge, require two-person authorization for access to high-risk areas, and record lost/stolen badge incidents. Practical small-business example: integrate badge termination with AD account disable via a simple automation script or Zapier workflow so badges are locked within minutes of termination.
4) Patch, firmware, and supplier management: Maintain firmware update records and apply security patches on a scheduled cadence (test in staging if possible). For networked readers, isolate them on a dedicated VLAN with ACLs allowing only the access controller and monitoring servers. Track vendor maintenance contracts and require maintenance personnel to be escorted and logged when accessing CUI areas.
Monitoring, logging, and evidence collection
5) Logging, monitoring, and retention: Configure access devices and controllers to log events (door open/close, failed authentication attempts, admin changes, tamper alerts) and forward all logs to a central collector or SIEM. Set retention per your policy (common practice: 90 days online, 1 year archived). Include NTP configuration to protect timestamps. Evidence for assessors: exported logs, SIEM alerts, and screenshots of log-forwarding configuration.
Technical controls to implement
Place device management in a segmented management network (VLAN), block unnecessary inbound ports via ACLs, allow management only from the jump host (SSH port 22 with keys) and controllers only to RADIUS/TACACS+ authentication servers. Use RADIUS with EAP-TLS or TACACS+ for admin authentication; for wireless locks use WPA2-Enterprise/WPA3-Enterprise. If readers are IP-enabled, disable HTTP and enable HTTPS with a valid certificate; prefer mutual TLS for controller-to-reader communication where supported.
Small business scenarios and cost-effective solutions
Scenario A: A 15-person DIB subcontractor with a server closet. Practical approach: install a single-door controller with a cloud-managed system (Brivo, Kisi) to avoid running your own controllers, configure immediate badge revocation via cloud console, enable MFA for admin console, and forward logs to a low-cost log service (e.g., managed ELK or a cloud SIEM). Keep a physical key in a tamper-evident pouch and record access in a paper log as a backup. Scenario B: A consulting firm without a budget for biometric readers — use proximity cards + door contacts + CCTV tied to a motion rule, and implement strict badge issuance and offboarding SOPs.
Risk if not implemented: Without control and management of physical access devices you face unauthorized access, tailgating, counterfeit or cloned badges, firmware-level compromises of readers, and attackers obtaining physical access to systems that hold CUI — leading to data exfiltration, contract loss, regulatory penalties, and reputational damage. Documented incidents commonly involve poor lifecycle controls (lost badges not deactivated) and exposed management interfaces on the corporate network.
Compliance tips, evidence for assessors, and best practices
For your SSP and assessment package include: the device inventory export, configuration baseline templates (with hashed/checksum values), screenshots of management interfaces showing TLS/certificates, RADIUS/TACACS+ configuration, logs showing badge issuance/termination events, firmware update records, policies and SOPs for badge lifecycle and visitor escort, training records, and a POA&M for any gaps. Best practices: automate badge deactivation with HR triggers, perform quarterly physical device audits, require dual control for key issuance, and run an annual penetration test that includes physical penetration testing (tailgating tests).
In summary, meeting PE.L2-3.10.5 is as much about operational rigor as it is about technology: inventory everything, harden and segment networked access devices, enforce strong lifecycle processes for badges and keys, collect and centralize logs, and produce succinct evidence for assessors. Small businesses can reach compliance with a combination of cloud-managed access solutions, disciplined procedures, and a few technical controls (VLANs, RADIUS, TLS, syslog over TLS) to reduce both cost and compliance burden.
