3.10.5 — Manage Keys and Badges

The One-Liner

If you can’t account for every key and badge, you can’t account for who has physical access.

What It Says

Control and manage physical access devices.

What It Actually Means

Three things: identify all physical access devices (keys, badges, cards, combinations, PINs), control them (restrict distribution, secure spares), and manage them (deactivate lost badges immediately, change combinations periodically, revoke on departure, maintain an inventory). The assessor will ask for your key/badge inventory and check whether deactivation happens promptly.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are physical access devices identified?	Inventory of all keys, badges, and cards with assignment records
2	Are physical access devices controlled?	Distribution limited; spares secured; issuance logged
3	Are physical access devices managed?	Lost badges deactivated within hours; combinations changed periodically; departures trigger immediate deactivation

---

What to Have Ready on Assessment Day

Documents they’ll review: Physical and environmental protection policy; key and badge inventory; key distribution records; badge deactivation records; combination change records; system security plan

People they’ll talk to: Personnel with physical access responsibilities; information security personnel

Live demos they’ll ask for: “Show me your key and badge inventory.” “How quickly is a lost badge deactivated? Show me a recent example.” “When were server room combinations last changed?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me your key/badge inventory.”
• “How quickly is a lost badge deactivated?”
• “When were server room combinations last changed?”
• “Show me that a departed employee’s badge was deactivated.”

Real-World Example

A defense contractor maintains a badge inventory spreadsheet: badge number, assigned person, areas accessible, issue date. When someone reports a lost badge, the badge is deactivated within 4 hours via the access control system. Server room keypad combinations are changed annually and whenever someone with the combination leaves. The offboarding procedure (3.9.2) includes badge deactivation as a checklist item. The assessor reviews the inventory, checks a recent departure for badge deactivation timing, and asks when the last combination change occurred.

---

Where Companies Trip Up

No key inventory. Unknown how many server room keys exist or who has them. Create and maintain an inventory.

Lost badges not deactivated. Days pass before a lost badge is deactivated. Define an SLA — 4 hours maximum.

Combinations never changed. Server room code unchanged for years and known by departed employees. Change periodically and on departure.

---

How to Talk About This

To a CEO or Board

Every key and badge is inventoried, tracked, and managed. Lost badges are deactivated within hours. Combinations are changed periodically and whenever someone with access departs.

To an Engineering Team

Badge inventory in spreadsheet. Lost badge SLA: deactivated within 4 hours. Combinations changed annually + on departure. Offboarding checklist includes badge deactivation. Spare keys secured.

---

Connected Requirements

Requirement	Why it matters here
3.10.1 — Lock the Doors	Keys and badges are the devices that enforce physical access controls
3.9.2 — Revoke on Departure	Badge deactivation on departure

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: PE.L2-3.10.5 | SPRS Weight: 1 point | POA&M Eligible: Yes