Physical and environmental protection

Estimated reading time: 13 minutes

PE-1 Physical And Environmental Protection Policy And Procedures

Description

The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
  2. Reviews and updates the current:
    1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
    2. Physical and environmental protection procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

PE-2 Physical Access Authorizations

Description

The organization:

  1. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
  2. Issues authorization credentials for facility access;
  3. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
  4. Removes individuals from the facility access list when access is no longer required.

Control Information

Responsible role(s) - Organization

PE-2 (1) Access By Position / Role

Description

The organization authorizes physical access to the facility where the information system resides based on position or role.

Control Information

Responsible role(s) - Organization

PE-2 (2) Two Forms Of Identification

Description

The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides.

Control Information

Responsible role(s) - Organization

PE-2 (3) Restrict Unescorted Access

Description

The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]].

Control Information

Responsible role(s) - Organization

PE-3 Physical Access Control

Description

The organization:

  1. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
    1. Verifying individual access authorizations before granting access to the facility; and
    2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
  2. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
  3. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
  4. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
  5. Secures keys, combinations, and other physical access devices;
  6. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
  7. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

Control Information

Responsible role(s) - Organization

PE-3 (1) Information System Access

Description

The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].

Control Information

Responsible role(s) - Organization

PE-3 (2) Facility / Information System Boundaries

Description

The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.

Control Information

Responsible role(s) - Organization

PE-3 (3) Continuous Guards / Alarms / Monitoring

Description

The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.

Control Information

Responsible role(s) - Organization

PE-3 (4) Lockable Casings

Description

The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access.

Control Information

Responsible role(s) - Organization

PE-3 (5) Tamper Protection

Description

The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the information system.

Control Information

Responsible role(s) - Organization

PE-3 (6) Facility Penetration Testing

Description

The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility.

Control Information

Responsible role(s) - Organization

PE-4 Access Control For Transmission Medium

Description

The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].

Control Information

Responsible role(s) - Organization

PE-5 Access Control For Output Devices

Description

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

Control Information

Responsible role(s) - Organization

PE-5 (1) Access To Output By Authorized Individuals

Description

The organization:

  1. Controls physical access to output from [Assignment: organization-defined output devices]; and
  2. Ensures that only authorized individuals receive output from the device.

Control Information

Responsible role(s) - Organization

PE-5 (2) Access To Output By Individual Identity

Description

The information system:

  1. Controls physical access to output from [Assignment: organization-defined output devices]; and
  2. Links individual identity to receipt of the output from the device.

Control Information

Responsible role(s) - Organization

PE-5 (3) Marking Output Devices

Description

The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device.

Control Information

Responsible role(s) - Organization

PE-6 Monitoring Physical Access

Description

The organization:

  1. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
  2. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
  3. Coordinates results of reviews and investigations with the organizational incident response capability.

Control Information

Responsible role(s) - Organization

PE-6 (1) Intrusion Alarms / Surveillance Equipment

Description

The organization monitors physical intrusion alarms and surveillance equipment.

Control Information

Responsible role(s) - Organization

PE-6 (2) Automated Intrusion Recognition / Responses

Description

The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions].

Control Information

Responsible role(s) - Organization

PE-6 (3) Video Surveillance

Description

The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period].

Control Information

Responsible role(s) - Organization

PE-6 (4) Monitoring Physical Access To Information Systems

Description

The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].

Control Information

Responsible role(s) - Organization

PE-8 Visitor Access Records

Description

The organization:

  1. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
  2. Reviews visitor access records [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

PE-8 (1) Automated Records Maintenance / Review

Description

The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.

Control Information

Responsible role(s) - Organization

PE-9 Power Equipment And Cabling

Description

The organization protects power equipment and power cabling for the information system from damage and destruction.

Control Information

Responsible role(s) - Organization

PE-9 (1) Redundant Cabling

Description

The organization employs redundant power cabling paths that are physically separated by [Assignment: organization-defined distance].

Control Information

Responsible role(s) - Organization

PE-9 (2) Automatic Voltage Controls

Description

The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components].

Control Information

Responsible role(s) - Organization

PE-10 Emergency Shutoff

Description

The organization:

  1. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
  2. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
  3. Protects emergency power shutoff capability from unauthorized activation.

Control Information

Responsible role(s) - Organization

PE-11 Emergency Power

Description

The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss.

Control Information

Responsible role(s) - Organization

PE-11 (1) Long-Term Alternate Power Supply - Minimal Operational Capability

Description

The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

Control Information

Responsible role(s) - Organization

PE-11 (2) Long-Term Alternate Power Supply - Self-Contained

Description

The organization provides a long-term alternate power supply for the information system that is:

  1. Self-contained;
  2. Not reliant on external power generation; and
  3. Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source.

Control Information

Responsible role(s) - Organization

PE-12 Emergency Lighting

Description

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

Control Information

Responsible role(s) - Organization

PE-12 (1) Essential Missions / Business Functions

Description

The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.

Control Information

Responsible role(s) - Organization

PE-13 Fire Protection

Description

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

Control Information

Responsible role(s) - Organization

PE-13 (1) Detection Devices / Systems

Description

The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.

Control Information

Responsible role(s) - Organization

PE-13 (2) Suppression Devices / Systems

Description

The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].

Control Information

Responsible role(s) - Organization

PE-13 (3) Automatic Fire Suppression

Description

The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

Control Information

Responsible role(s) - Organization

PE-13 (4) Inspections

Description

The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period].

Control Information

Responsible role(s) - Organization

PE-14 Temperature And Humidity Controls

Description

The organization:

  1. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and
  2. Monitors temperature and humidity levels [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

PE-14 (1) Automatic Controls

Description

The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.

Control Information

Responsible role(s) - Organization

PE-14 (2) Monitoring With Alarms / Notifications

Description

The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.

Control Information

Responsible role(s) - Organization

PE-15 Water Damage Protection

Description

The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

Control Information

Responsible role(s) - Organization

PE-15 (1) Automation Support

Description

The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles].

Control Information

Responsible role(s) - Organization

PE-16 Delivery And Removal

Description

The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items.

Control Information

Responsible role(s) - Organization

PE-17 Alternate Work Site

Description

The organization:

  1. Employs [Assignment: organization-defined security controls] at alternate work sites;
  2. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
  3. Provides a means for employees to communicate with information security personnel in case of security incidents or problems.

Control Information

Responsible role(s) - Organization

PE-18 Location Of Information System Components

Description

The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.

Control Information

Responsible role(s) - Organization

PE-18 (1) Facility Site

Description

The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy.

Control Information

Responsible role(s) - Organization

PE-19 Information Leakage

Description

The organization protects the information system from information leakage due to electromagnetic signals emanations.

Control Information

Responsible role(s) - Organization

PE-19 (1) National Emissions / Tempest Policies And Procedures

Description

The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information.

Control Information

Responsible role(s) - Organization

PE-20 Asset Monitoring And Tracking

Description

The organization:

  1. Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and
  2. Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, Physical and environmental protection