PE-03 Physical Access Control
a. Enforce physical access authorizations at pe-03_odp.01 by:
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress and egress to the facility using pe-03_odp.02;
b. Maintain physical access audit logs for pe-03_odp.04;
c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: pe-03_odp.05;
d. Escort visitors and control visitor activity pe-03_odp.06;
e. Secure keys, combinations, and other physical access devices;
f. Inventory pe-03_odp.07 every pe-03_odp.08 ; and
g. Change combinations and keys pe-3_prm_9 and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
| Parameter ID | Definition |
|---|---|
| pe-3_prm_9 | organization-defined frequency |
| pe-03_odp.01 | entry and exit points |
| pe-03_odp.02 |
Selection (one-or-more):
|
| pe-03_odp.03 | systems or devices |
| pe-03_odp.04 | entry or exit points |
| pe-03_odp.05 | physical access controls |
| pe-03_odp.06 | circumstances |
| pe-03_odp.07 | physical access devices |
| pe-03_odp.08 | frequency |
| pe-03_odp.09 | frequency |
| pe-03_odp.10 | frequency |
Baselines
- L
- M
- H
- P
Guidance
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
References 5
- FIPS 201-2 National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2.
- SP 800-73-4 Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016.
- SP 800-76-2 Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2.
- SP 800-78-4 Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4.
- SP 800-116 Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1.
Control Enhancements 8
- PE-03(01) System Access L M H P
- PE-03(02) Facility and Systems L M H P
- PE-03(03) Continuous Guards L M H P
- PE-03(04) Lockable Casings L M H P
- PE-03(05) Tamper Protection L M H P
- PE-03(06) Facility Penetration Testing
- PE-03(07) Physical Barriers L M H P
- PE-03(08) Access Control Vestibules L M H P
Related controls 23
- AT-03 Role-based Training L M H P
- AU-02 Event Logging L M H P
- AU-06 Audit Record Review, Analysis, and Reporting L M H P
- AU-09 Protection of Audit Information L M H P
- AU-13 Monitoring for Information Disclosure L M H P
- CP-10 System Recovery and Reconstitution L M H P
- IA-03 Device Identification and Authentication L M H P
- IA-08 Identification and Authentication (Non-organizational Users) L M H P
- MA-05 Maintenance Personnel L M H P
- MP-02 Media Access L M H P
- MP-04 Media Storage L M H P
- PE-02 Physical Access Authorizations L M H P
- PE-04 Access Control for Transmission L M H P
- PE-05 Access Control for Output Devices L M H P
- PE-08 Visitor Access Records L M H P
- PS-02 Position Risk Designation L M H P
- PS-03 Personnel Screening L M H P
- PS-06 Access Agreements L M H P
- PS-07 External Personnel Security L M H P
- RA-03 Risk Assessment L M H P
- SC-28 Protection of Information at Rest L M H P
- SI-04 System Monitoring L M H P
- SR-03 Supply Chain Controls and Processes L M H P