CMMC Practice Requirement:

Control and manage physical access devices.

CMMC Requirement Explanation:

A physical access device is something that grants access to a physical location. This can include a traditional key, an RFID card, or a pin code. Limiting who you provide physical access devices to is critical for controlling access to your facilities.

Example CMMC Implementation:

Only provide physical access devices to persons that need permanent or extended access to your facilities. Physical access devices include keys to doors, smart cards, and pin codes. When a person with physical access to your facilities no longer needs access (e.g. they get fired) you need to take possession of their keys and smart cards. If they accessed your facilities using a pin code change the pin codes. Changing locks that are opened with a traditional key is also a good idea as keys can easily be copied.


- Scenario 1:

An employee at your company announces that his last day at work will be Tuesday. Before he leaves on Tuesday his manager collects his RFID smart card to prevent him from accessing the facility.

- Scenario 2:

One of the IT staff members at your company will no longer be working from your company's facilities. Because he no longer needs access to the server room or company facilities you collect his RFID card.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance