Navigate

PE-3

PE-3: Physical Access Control

a: Enforce physical access authorizations at [entry and exit points to the facility in which the system resides are defined;] by:
- 1: Verifying individual access authorizations before granting access to the facility; and
- 2: Controlling ingress and egress to the facility using [one or more of "{{ insert: param, pe-03_odp.03 }} "/"guards"];

b: Maintain physical access audit logs for [entry or exit points for which physical access logs are maintained are defined;];

c: Control access to areas within the facility designated as publicly accessible by implementing the following controls: [physical access controls to control access to areas within the facility designated as publicly accessible are defined;];

d: Escort visitors and control visitor activity [circumstances requiring visitor escorts and control of visitor activity are defined;];

e: Secure keys, combinations, and other physical access devices;

f: Inventory [physical access devices to be inventoried are defined;] every [frequency at which to inventory physical access devices is defined;] ; and

g: Change combinations and keys [one of ] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

Supplemental

Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
CMMC, DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate)

CSF Categories
PR.AC-2

Related Controls

The controls below (if any) were marked by NIST as being related to PE-3.

Control	Description
AT-3	a: Provide role-based security and privacy training to personnel with the following roles and responsibilities: [one of ]: 1: Before authorizing access to the system, information, or performing assigned duties, and [the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;] thereafter; and 2: When required by system changes; b: Update role-based training content [the frequency at which to update role-based training content is defined;] and following [events that require role-based training content to be updated are defined;] ; and c: Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
AU-2	a: Identify the types of events that the system is capable of logging in support of the audit function: [the event types that the system is capable of logging in support of the audit function are defined;]; b: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c: Specify the following event types for logging within the system: [one of ]; d: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e: Review and update the event types selected for logging [the frequency of event types selected for logging are reviewed and updated;].
AU-6	a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity; b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-9	a: Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b: Alert [personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;] upon detection of unauthorized access, modification, or deletion of audit information.
AU-13	a: Monitor [open-source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information is/are defined;] [the frequency with which open-source information and/or information sites are monitored for evidence of unauthorized disclosure of organizational information is defined;] for evidence of unauthorized disclosure of organizational information; and b: If an information disclosure is discovered: 1: Notify [personnel or roles to be notified if an information disclosure is discovered is/are defined;] ; and 2: Take the following additional actions: [additional actions to be taken if an information disclosure is discovered are defined;].
CP-10	Provide for the recovery and reconstitution of the system to a known state within [one of ] after a disruption, compromise, or failure.
IA-3	Uniquely identify and authenticate [devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;] before establishing a [one or more of "local"/"remote"/"network"] connection.
IA-8	Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
MA-5	a: Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; b: Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and c: Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
MP-2	Restrict access to [one of ] to [one of ].
MP-4	a: Physically control and securely store [one of ] within [one of ] ; and b: Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
PE-2	a: Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; b: Issue authorization credentials for facility access; c: Review the access list detailing authorized facility access by individuals [frequency at which to review the access list detailing authorized facility access by individuals is defined;] ; and d: Remove individuals from the facility access list when access is no longer required.
PE-4	Control physical access to [system distribution and transmission lines requiring physical access controls are defined;] within organizational facilities using [security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;].
PE-5	Control physical access to output from [output devices that require physical access control to output are defined;] to prevent unauthorized individuals from obtaining the output.
PE-8	a: Maintain visitor access records to the facility where the system resides for [time period for which to maintain visitor access records for the facility where the system resides is defined;]; b: Review visitor access records [the frequency at which to review visitor access records is defined;] ; and c: Report anomalies in visitor access records to [personnel to whom visitor access records anomalies are reported to is/are defined;].
PS-2	a: Assign a risk designation to all organizational positions; b: Establish screening criteria for individuals filling those positions; and c: Review and update position risk designations [the frequency at which to review and update position risk designations is defined;].
PS-3	a: Screen individuals prior to authorizing access to the system; and b: Rescreen individuals in accordance with [one of ].
PS-6	a: Develop and document access agreements for organizational systems; b: Review and update the access agreements [the frequency at which to review and update access agreements is defined;] ; and c: Verify that individuals requiring access to organizational information and systems: 1: Sign appropriate access agreements prior to being granted access; and 2: Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [the frequency at which to re-sign access agreements to maintain access to organizational information is defined;].
PS-7	a: Establish personnel security requirements, including security roles and responsibilities for external providers; b: Require external providers to comply with personnel security policies and procedures established by the organization; c: Document personnel security requirements; d: Require external providers to notify [personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;] ; and e: Monitor provider compliance with personnel security requirements.
RA-3	a: Conduct a risk assessment, including: 1: Identifying threats to and vulnerabilities in the system; 2: Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3: Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b: Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c: Document risk assessment results in [one of "security and privacy plans"/"risk assessment report"/"{{ insert: param, ra-03_odp.02 }} "]; d: Review risk assessment results [the frequency to review risk assessment results is defined;]; e: Disseminate risk assessment results to [personnel or roles to whom risk assessment results are to be disseminated is/are defined;] ; and f: Update the risk assessment [the frequency to update the risk assessment is defined;] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
SC-28	Protect the [one or more of "confidentiality"/"integrity"] of the following information at rest: [information at rest requiring protection is defined;].
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].
SR-3	a: Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;] in coordination with [supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;]; b: Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;] ; and c: Document the selected and implemented supply chain processes and controls in [one or more of "security and privacy plans"/"supply chain risk management plan"/"{{ insert: param, sr-03_odp.05 }} "].

Enhancements

The controls below (if any) add on to the requirements of PE-3.

Control	Description
PE-3(1)	Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [physical spaces containing one or more components of the system are defined;].
PE-3(2)	Perform security checks [the frequency at which to perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components is defined;] at the physical perimeter of the facility or system for exfiltration of information or removal of system components.
PE-3(3)	Employ guards to control [physical access points to the facility where the system resides are defined;] to the facility where the system resides 24 hours per day, 7 days per week.
PE-3(4)	Use lockable physical casings to protect [system components to be protected from unauthorized physical access are defined;] from unauthorized physical access.
PE-3(5)	Employ [anti-tamper technologies to be employed are defined;] to [one or more of "detect"/"prevent"] physical tampering or alteration of [hardware components to be protected from physical tampering or alteration are defined;] within the system.
PE-3(6)
PE-3(7)	Limit access using physical barriers.
PE-3(8)	Employ access control vestibules at [locations within the facility where access control vestibules are to be employed are defined;].

Related CCIs

The CCIs below are tied to PE-3.

CCI	Definition
CCI-000920	Verify individual access authorizations before granting access to the facility.
CCI-000923	Secure keys, combinations, and other physical access devices.
CCI-000924	Inventory organization-defined physical access devices on an organization-defined frequency.
CCI-000925	Defines the frequency for conducting inventories of organization-defined physical access devices.
CCI-000926	Change combinations and keys in accordance with organization-defined frequency and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
CCI-000927	Defines a frequency for changing combinations and keys.
CCI-002915	Defines the entry and exit points to the facility where the system resides.
CCI-002916	Defines the physical access control systems or devices or guards that control ingress and egress to the facility where the system resides.
CCI-002917	Maintain physical access audit logs for organization-defined entry/exit points to the facility where the system resides.
CCI-002918	Defines entry and exit points to the facility where the system resides that require physical access audit logs be maintained.
CCI-002919	Control access to areas within the facility designated as publicly accessible by implementing organization-defined access controls.
CCI-002920	Defines physical access controls to control access to areas within the facility designated as publicly accessible.
CCI-002921	Escort visitors in the facility where the system resides during organization-defined circumstances requiring visitor escorts.
CCI-002922	Defines circumstances requiring visitor escorts in the facility where the system resides.
CCI-002923	Monitor visitor activity in the facility where the system resides during organization-defined circumstances requiring visitor monitoring.
CCI-002924	Define circumstances requiring visitor monitoring in the facility where the system resides.
CCI-002925	Defines the physical access devices to inventory.
CCI-004240	Enforce physical access authorizations at organization-defined entry points to the facility where the system resides.
CCI-004241	Enforce physical access authorizations at organization-defined exit points to the facility where the system resides.
CCI-004242	Control ingress to the facility where the information system resides using one or more organization-defined physical access control systems or devices or guards.
CCI-004243	Control egress to the facility where the information system resides using one or more organization-defined physical access control systems or devices or guards.