PE-3

Physical and Environmental ProtectionRev 5organization

Physical Access Control

Baselines:LowModerateHigh

Control Statement

a. Enforce physical access authorizations at [Assignment: entry and exit points] by: 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress and egress to the facility using [Selection: organization-defined value]; b. Maintain physical access audit logs for [Assignment: entry or exit points]; c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: physical access controls]; d. Escort visitors and control visitor activity [Assignment: circumstances]; e. Secure keys, combinations, and other physical access devices; f. Inventory [Assignment: physical access devices] every [Assignment: frequency] ; and g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

Supplemental Guidance

Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

Related Controls (23)

AT-3 AU-2 AU-6 AU-9 AU-13 CP-10 IA-3 IA-8 MA-5 MP-2 MP-4 PE-2 PE-4 PE-5 PE-8 PS-2 PS-3 PS-6 PS-7 RA-3 SC-28

CCI Identifiers (24)

CCI-002915Defines the entry and exit points to the facility where the system resides.CCI-002916Defines the physical access control systems or devices or guards that control ingress and egress to the facility where the system resides.CCI-002917Maintain physical access audit logs for organization-defined entry/exit points to the facility where the system resides.CCI-002918Defines entry and exit points to the facility where the system resides that require physical access audit logs be maintained.CCI-002919Control access to areas within the facility designated as publicly accessible by implementing organization-defined access controls.CCI-002920Defines physical access controls to control access to areas within the facility designated as publicly accessible.CCI-002921Escort visitors in the facility where the system resides during organization-defined circumstances requiring visitor escorts.CCI-002922Defines circumstances requiring visitor escorts in the facility where the system resides.

Linked STIG Checks (3)

Across 3 STIGs. Click to expand.