>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PE-2Physical Access Authorizations

LI-SaaS
Low
Moderate
High

>Control Description

a

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;

b

Issue authorization credentials for facility access;

c

Review the access list detailing authorized facility access by individuals organization-defined frequency; and

d

Remove individuals from the facility access list when access is no longer required.

>FedRAMP Baseline Requirements

Parameter Values

c
at least every ninety (90) days

>Discussion

Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards.

Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.

>Cross-Framework Mappings

SCF

PES-02
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the documented process for authorizing physical access to the facility and specific areas within it?
  • How are physical access authorizations reviewed and approved, and what criteria are used for different security zones?
  • What is the frequency for reviewing and updating physical access lists, and who is responsible for this process?
  • How does the organization handle visitor access requests, including advance approval and escort requirements?
  • What process exists for revoking physical access when personnel transfer, terminate, or no longer require access to specific areas?

Technical Implementation:

  • What technical systems manage and enforce physical access authorizations?
  • How are access authorization lists integrated with physical access control systems?
  • What mechanisms prevent unauthorized modifications to access authorization records?
  • How do technical systems handle time-based or conditional access authorizations?
  • What controls ensure access authorization systems remain available during system failures?

Evidence & Documentation:

  • Provide the current list of personnel authorized for physical access to different facility areas.
  • Provide documentation of the authorization and approval process for physical access.
  • Provide evidence of physical access list reviews within the required frequency.
  • Provide visitor authorization forms and approval records for the past 3 months.
  • Provide documentation of access revocation when personnel transfer or terminate.

Ask AI

Configure your API key to use AI features.