Reference: CMMC v2.13
Family: PE
Level Introduced: 2
Title: Manage Physical Access [CUI Data]
Practice:
Control and manage physical access devices.
Further Discussion:
Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as important as monitoring and limiting who is able to physically access certain equipment. Physical access devices are only strong protection if you know who has them and what access they allow. Physical access devices can be managed using manual or automatic processes such a list of who is assigned what key, or updating the badge access system as personnel change roles.
Example
You are a facility manager. A team member retired today and returns their company keys to you. The project on which they were working requires access to areas that contain equipment with CUI. You receive the keys, check your electronic records against the serial numbers on the keys to ensure all have been returned, and mark each key returned [c].
Potential Assessment Considerations
• Are lists or inventories of physical access devices maintained (e.g., keys, facility badges, key cards) [a]?
• Is access to physical access devices limited (e.g., granted to, and accessible only by, authorized individuals) [b]?
• Are physical access devices managed (e.g., revoking key card access when necessary, changing locks as needed, maintaining access control devices and systems) [c]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.