he final Practice within the Physical Security (PE) Domain and Capability, Limit Physical Access, is PE.1.134, Control and manage physical access devices. This Practice focuses on who can access the physical equipment used to track physical access to a facility (e.g., locks, badging, key cards, etc.) and who is responsible for monitoring and managing access to this equipment. Below is the documentation from CMMC V1.02, Appendix B, Page B-152 and Page 192 in the PDF:

PE.1.134 – Control and Manage Physical Access Devices

Discussion from Source: NIST SP 800-171, Rev 2

Physical access devices include keys, locks, combinations, and card readers.

CMMC Clarification

Controlling physical access devices like locks, badging, key cards, etc. is just as important as monitoring and limiting who is able to physically access certain equipment. Locks, badges, and key cards are only strong protection if you know who has them and what access they allow.


A team member retired last week and forgot to turn in company items, including an identification badge and office keys. The project requires special equipment that should be used only by project team members. Before you begin looking for a replacement employee, you make sure to change the locks on the doors to the project area. You also disable the retired team member’s badge.

The four preceding entries comprise the Practices within the Domain Physical Security (PE), Capability, Limit Physical Access. Next we move to Domain – System and Communication Protections (SC), which has one Capability and two Practices.

Until then…

By Mark Lupo, MBCP, SMP

*Originally posted on UGA Small Business Development Center*