CMMC Practice PE.1.134
Control and manage physical access devices.
Bold Coast Security Guidance
Your organization must inventory and track all physical access devices. We suggested in PS.2.128 to start an inventory for each employee of mobile devices and system access, and assignment of keys and other physical access devices must be part of this list which can then be reviewed to ensure collection of all items when the employee departs the company.
You should also train all employees to report any lost or stolen keys, badges, etc., as soon as it is noticed they are missing.
Your policy for Maturity Level 2 will note the requirement for this inventory, and your plan for level three will note who is responsible for the inventory, and where the inventory is kept. You should conduct audit/inventory of all physical access devices (keys, badges) on a regular basis to measure your policy and plan's effectiveness.
Do not forget to regularly review the electronic access systems themselves to ensure that only the appropriate people still have access to controlled areas.
DRAFT NIST SP 800-171 R2
Physical access devices include keys, locks, combinations, and card readers.