>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PE-3Physical Access Control

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Enforce physical access authorizations at organization-defined entry and exit points to the facility where the system resides by:

1.

Verifying individual access authorizations before granting access to the facility; and

2.

Controlling ingress and egress to the facility using [Selection (one or more): organization-defined physical access control systems or devices; guards];

b

Maintain physical access audit logs for organization-defined entry or exit points;

c

Control access to areas within the facility designated as publicly accessible by implementing the following controls: organization-defined physical access controls;

d

Escort visitors and control visitor activity organization-defined circumstances requiring visitor escorts and control of visitor activity;

e

Secure keys, combinations, and other physical access devices;

f

Inventory organization-defined physical access devices every organization-defined frequency; and

g

Change combinations and keys organization-defined frequency and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

>DoD Impact Level Requirements

FedRAMP Parameter Values

PE-3 (a) (2) [CSP defined physical access control systems/devices AND guards] PE-3 (d) [in all circumstances within restricted access area where the information system resides] PE-3 (f)-2 [at least annually] PE-3 (g) [at least annually or earlier as required by a security relevant event.]

>Discussion

Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas.

Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both.

Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

>Related Controls

AT-3
AU-2
AU-6
AU-9
AU-13
CP-10
IA-3
IA-8
MA-5
MP-2
MP-4
PE-2
PE-4
PE-5
PE-8
PS-2
PS-3
PS-6
PS-7
RA-3
SC-28
SI-4
SR-3

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern physical access control to the facility and different security zones within it?
  • How are entry and exit points defined, classified, and managed for different security levels?
  • What is the process for granting exceptions to physical access controls, and who approves them?
  • How does the organization coordinate physical access policies with human resources for personnel changes?
  • What governance exists for managing and auditing physical access control effectiveness?

Technical Implementation:

  • What types of physical access control devices are deployed (e.g., card readers, biometrics, turnstiles)?
  • How are access control points configured to enforce entry and exit requirements?
  • What technical controls prevent tailgating or piggybacking at access points?
  • How are access control systems integrated with alarm and monitoring systems?
  • What redundancy mechanisms exist for access control system failures?

Evidence & Documentation:

  • Provide a facility diagram showing all entry and exit points and security zones.
  • Provide access control device inventory and configuration documentation.
  • Provide physical access logs for the past 90 days showing entry/exit at controlled points.
  • Provide evidence of access control system testing and maintenance.
  • Provide documentation of access violations and responses over the past 6 months.

Ask AI

Configure your API key to use AI features.