Mapped to NIST 800-171 Requirement: 3.10.6
CMMC Assessment Objective: PE.L2-3.10.6[b]
What This Control Means
After identifying your access control devices (PE.L2-3.10.6[a]), this control verifies that they are formally documented in your:
• System Security Plan (SSP)
• Physical security procedures
• Facility or IT asset inventory
You must be able to demonstrate what devices exist, where they are, and what they protect.
Why It Matters
Without documentation:
• You can’t track or maintain access devices effectively
• Security teams may be unaware of what protections exist
• Device failures or misconfigurations may go unnoticed
• CMMC assessors will flag this as a gap—even if the devices are installed
Documentation creates visibility, accountability, and audit readiness.
How to Implement It
1. Maintain a Physical Access Device Inventory
• Include:
◦ Device name/type (e.g., badge reader, keypad)
◦ Location and associated secure area
◦ Serial number, model, or system ID
◦ Responsible individual or department
◦ Maintenance/support procedures (if applicable)
2. Update Your Security Documentation
• Include this inventory in:
◦ The SSP
◦ Facility security plans
◦ Asset management systems
3. Review and Update Regularly
• When devices are added, replaced, or removed
• During facility or compliance reviews
4. Link Devices to CUI Zones
• Identify which devices are responsible for protecting specific CUI systems or storage areas
Evidence the Assessor Will Look For
• Written list of physical access control devices
• Facility maps with marked device locations
• SSP or policy references to specific access systems
• Assignment of device ownership
• Logs showing device installation or maintenance records
Common Gaps
• Devices exist but are not documented
• No inventory of locks, readers, or biometric scanners
• No link between devices and what they protect
• Documentation hasn’t been updated after recent changes
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Centralizing documentation of all physical access control devices
• Linking devices to specific rooms, systems, and CUI zones
• Assigning ownership, maintenance, and logging responsibilities
• Updating device records automatically during security reviews
• Providing auditors with full visibility into your physical protection footprint
With Cuick Trac, your access devices are documented, reviewed, and always audit-ready.
Final CTA
If your devices protect your data, your documentation should protect your devices.
Schedule a Cuick Trac demo to fully document your physical access infrastructure and close your compliance gaps.