Control and Manage Physical Access Devices – NIST SP 800-171 & CMMC 2.0

A physical access device refers to objects such as traditional keys used to unlock doors, and RFID key cards/fobs. Physical access devices grant access to locked doors. Something like a YubiKey or a DoD Common Access Card (CAC) may also be a physical access device even though they also provide access to computer systems. The key concept to grasp is that anything that unlocks a door or provides access to a location is a physical access device.

When personnel no longer require extended access to your facility then you should take or disable their physical access device. As part of your onboarding process, have terminated personnel return their keys or RFID cards.

If someone loses their RFID card you should disable it. If they lose a traditional key, you should change the lock to the doors where the key is used.

To manage physical access devices, you should first create an inventory of them. RFID cards and traditional keys often have serial numbers associated with them. Document these serial numbers and the personnel the keys were assigned to. You should also document what areas of your facility these keys grant access to. It is also a clever idea to document when you provided the physical access device to the person and when they turned it back in.

In summary a physical access device is any device used to provide access to your facility. This can include traditional keys and key fobs. You should only give physical access devices to personnel who are authorized to have extended access to your facility. You should take back physical access devices from terminated personnel and maintain an inventory of them.