GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.10.5: Physical Access Device Management

Control 3.10.5 requires organizations to implement processes for controlling and managing physical access devices that regulate entry to facilities and systems. Without proper device management, unauthorized personnel could gain access to sensitive CUI environments. This control ensures all access devices—badges, keys, biometric readers, and entry logs—are accounted for, properly maintained, and promptly disabled when no longer needed.

What this means

Physical access device management means establishing formal controls over all devices used to grant or restrict physical access to facilities and secure areas. This includes inventory tracking, issuance procedures, maintenance schedules, and deactivation protocols. Organizations must monitor device usage, detect and respond to unauthorized access attempts, and ensure devices remain functional and secure throughout their lifecycle.

How to comply

  1. 1.Inventory all physical access devices (badges, keys, proximity cards, biometric systems) and document their locations and assigned users
  2. 2.Establish formal issuance procedures requiring approval, documentation, and acknowledgment before any device is distributed
  3. 3.Implement a labeling or numbering system to track device ownership, issue date, and expiration dates
  4. 4.Conduct regular maintenance and testing of access control devices to ensure proper functionality
  5. 5.Disable or deactivate devices immediately upon employee termination, role change, or device loss/theft
  6. 6.Maintain audit logs and access records showing who accessed what areas and when
  7. 7.Periodically audit device inventory against actual deployed devices to identify missing, unauthorized, or obsolete items
  8. 8.Establish a secure storage protocol for inactive devices and manage disposal of obsolete equipment

Evidence auditors look for

  • Physical access device inventory list with serial numbers, assignment dates, and current status
  • Access device issuance request forms with approval signatures and acknowledgment of receipt
  • Device maintenance logs showing inspection dates, testing results, and repairs performed
  • Deactivation records documenting device disable dates, authorization, and method of deactivation
  • Access control system logs showing entry attempts, successful/failed authentications, and access timestamps
  • Reconciliation reports comparing inventory records to actual devices deployed in the facility
  • Badge/key return forms signed by employees upon termination or role change
  • Audit reports from physical security reviews documenting device condition and compliance status

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates physical access device inventory tracking, deactivation workflows, and compliance audits—eliminating manual spreadsheets and ensuring no orphaned access devices slip through during employee offboarding.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.1.1 — Authorized Access3.8.1 — Information System Monitoring3.8.2 — Monitoring Tools3.10.1 — Boundary Protection3.10.4 — Access Control for Transmission