home || catalog: SP800-53rev3 / class: Operational / family: (PE) Physical and Environmental Protection ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE

PE-01
PE-02
PE-03 *
PE-04
PE-05
PE-06
PE-07
PE-08
PE-09
PE-10
PE-11
PE-12
PE-13
PE-14
PE-15
PE-16
PE-17
PE-18
PE-19
PE-20

PL
PM
PS
RA
SA
SC
SI
MMMMM

  PE-03: Physical Access Control  

base control objective:
The organization:
a. Enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible);
b. Verifies individual access authorizations before granting access to the facility;
c. Controls entry to facilities containing information systems using physical access devices and/or guards;
d. Controls access to areas officially designated as publicly accessible in accordance with the organization’s assessment of risk;
e. Secures keys, combinations, and other physical access devices;
f. Inventories physical access devices [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and when keys are lost, combinations are compromised, or individuals are transferred or terminated.

supplemental objective information:
The organization determines the types of guards needed, for example, professional physical security staff or other personnel such as administrative staff or information system users, as deemed appropriate. Physical access devices include, for example, keys, locks, combinations, card readers. Workstations and associated peripherals connected to (and part of) an organizational information system may be located in areas designated as publicly accessible with access to such devices being safeguarded.

enhancements to the base objective:

(1) The organization enforces physical access authorizations to the information system independent of the physical access controls for the facility.
Enhancement Supplemental Guidance: This control enhancement applies to server rooms, media storage areas, communications centers, or any other areas within an organizational facility containing large concentrations of information system components. The intent is to provide additional physical security for those areas where the organization may be more vulnerable due to the concentration of information system components. Security requirements for facilities containing organizational information systems that process, store, or transmit Sensitive Compartmented Information (SCI) are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. See also PS-3, security requirements for personnel access to SCI.

(2) The organization performs security checks at the physical boundary of the facility or information system for unauthorized exfiltration of information or information system components.
Enhancement Supplemental Guidance: The extent/frequency or randomness of the checks is as deemed necessary by the organization to adequately mitigate risk associated with exfiltration.

(3) The organization guards, alarms, and monitors every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.

(4) The organization uses lockable physical casings to protect internal components of the information system from unauthorized physical access.

(5) The information system detects/prevents physical tampering or alteration of hardware components within the system.

(6) The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base (1)  

related (regimented) controls:

CA-02   Security Assessments

documents referenced in SP800-53rev3 for PE-03:

Document Date Status Title
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-24 August, 2000 current   PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-73-part2 February, 2010 current   Interfaces for Personal Identity Verification
NIST SP800-76 September, 2006 DRAFT   Biometric Data Specification for Personal Identity Verification
NIST SP800-78 December, 2010 current   Cryptographic Algorithms and Key Sizes for Personal Identity Verification
NIST SP800-82 June, 2011 current   Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security
NIST SP800-96 September, 2006 current   PIV Card to Reader Interoperability Guidelines
NIST SP800-98 September, 2006 DRAFT   Guidelines for Securing Radio Frequency Identification (RFID) Systems

Search SP800-53rev3 catalog: