NIST Special Publication 800-171 Revision 2

Date Published: January 28th, 2021

Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3

Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)

Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here

3.10.5: Control and manage physical access devices.

Control Family: Physical Protection

Control Type: Derived

SPRS Value: 1

SPRS Supplemental Guidance: N/A

CMMC Level(s):

  • PE.L1-b.1.ix

  • PE.L2-3.10.4

Top Ten Failed Requirement:

No

Referenced in:

DFARS 252.204-7012

Derived From: NIST SP 800-53r4

  • PE-3

NIST Supplemental Guidance:

N/A

Discussion:

Physical access devices include keys, locks, combinations, and card readers.

Upon assessment, assessors must determine if- 

3.10.5[a] physical access devices are identified.
3.10.5[b] physical access devices are controlled.
3.10.5[c] physical access devices are managed.

Assessors are instructed to-

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; system security plan; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; other relevant documents or records].

Interview: [SELECT FROM: Personnel with physical access control responsibilities; personnel with information security responsibilities].

Test: [SELECT FROM: Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices].

FURTHER DISCUSSION

Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as important as monitoring and limiting who is able to physically access certain equipment. Physical access devices are only strong protection if you know who has them and what access they allow. Physical access devices can be managed using manual or automatic processes such a list of who is assigned what key, or updating the badge access system as personnel change roles.

Example

You are a facility manager. A team member retired today and returns their company keys to you. The project on which they were working requires access to areas that contain equipment with CUI. You receive the keys, check your electronic records against the serial numbers on the keys to ensure all have been returned, and mark each key returned [c].

Potential Assessment Considerations

  • Are lists or inventories of physical access devices maintained (e.g., keys, facility badges, key cards) [a]?

  • Is access to physical access devices limited (e.g., granted to, and accessible only by, authorized individuals) [b]?

  • Are physical access devices managed (e.g., revoking key card access when necessary, changing locks as needed, maintaining access control devices and systems) [c]?