PE.L2-3.10.5 — Control and manage physical access devices.
What this control requires
Control and manage physical access devices.
Source: CMMC L2 v2.13 PE.L2-3.10.5 / NIST SP 800-171 R2 3.10.5 (official control text).
Why this matters
Physical access devices — keys, access cards, lock combinations, and readers — are the primary mechanism preventing unauthorized individuals from entering facilities where CUI is stored or processed. Without strict control over these devices, an adversary can enter the building, bypass all digital security controls, and directly access systems, documents, or storage media. This control requires organizations to maintain accountability for who possesses access devices, ensure devices are inventoried and tracked, and immediately revoke access when personnel leave or devices are lost. Failure here means physical security becomes the weakest link, regardless of network defenses.
What evidence assessors expect
Assessors typically look for: CSV export, PDF, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on PE.L2-3.10.5.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →