BRACKETOLOGY | FEDRAMP

PE-3: PHYSICAL ACCESS CONTROL

  • FedRAMP Baseline Membership PE-3:
  • LOW
  • MODERATE
  • HIGH
FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
      1. Verifying individual access authorizations before granting access to the facility; and
      2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
    • b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
    • c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
    • d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
    • e. Secures keys, combinations, and other physical access devices;
    • f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
    • g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

  • a. Enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by;
    1. Verifying individual access authorizations before granting access to the facility; and
    2. Controlling ingress/egress to the facility using CSP defined physical access control systems/devices AND guards;
  • b. Maintains physical access audit logs for organization-defined entry/exit points;
  • c. Provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;
  • d. Escorts visitors and monitors visitor activity in all circumstances within restricted access area where the information system resides;
  • e. Secures keys, combinations, and other physical access devices;
  • f. Inventories organization-defined physical access devices every at least annually; and
  • g. Changes combinations and keys at least annually and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

The organization:

  • a. Enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by;
    1. Verifying individual access authorizations before granting access to the facility; and
    2. Controlling ingress/egress to the facility using CSP defined physical access control systems/devices AND guards;
  • b. Maintains physical access audit logs for organization-defined entry/exit points;
  • c. Provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;
  • d. Escorts visitors and monitors visitor activity in all circumstances within restricted access area where the information system resides;
  • e. Secures keys, combinations, and other physical access devices;
  • f. Inventories organization-defined physical access devices every at least annually; and
  • g. Changes combinations and keys at least annually and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

The organization:

  • a. Enforces physical access authorizations at organization-defined entry/exit points to the facility where the information system resides by;
    1. Verifying individual access authorizations before granting access to the facility; and
    2. Controlling ingress/egress to the facility using CSP defined physical access control systems/devices AND guards;
  • b. Maintains physical access audit logs for organization-defined entry/exit points;
  • c. Provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;
  • d. Escorts visitors and monitors visitor activity in all circumstances within restricted access area where the information system resides;
  • e. Secures keys, combinations, and other physical access devices;
  • f. Inventories organization-defined physical access devices every at least annually; and
  • g. Changes combinations and keys at least annually and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

SUPPLEMENTAL GUIDANCE

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.

CONTROL ENHANCEMENTS

PE-3 (1) PHYSICAL ACCESS CONTROL | INFORMATION SYSTEM ACCESS
  • FedRAMP Baseline Membership PE-3 (1):
  • HIGH

The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.


Supplemental Guidance:

This control enhancement provides additional physical security for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers).

RELATED CONTROLS: PE-3 (1)

PE-3 (2) PHYSICAL ACCESS CONTROL | FACILITY/INFORMATION SYSTEM BOUNDARIES

The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.

Supplemental Guidance:

Organizations determine the extent, frequency, and/or randomness of security checks to adequately mitigate risk associated with exfiltration.

RELATED CONTROLS: PE-3 (2)

PE-3 (3) PHYSICAL ACCESS CONTROL | CONTINUOUS GUARDS / ALARMS / MONITORING

The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.

Supplemental Guidance: NONE

RELATED CONTROLS: PE-3 (3)

PE-3 (4) PHYSICAL ACCESS CONTROL | LOCKABLE CASINGS

The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access.

Supplemental Guidance: NONE

PE-3 (5) PHYSICAL ACCESS CONTROL | TAMPER PROTECTION

The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the information system.

Supplemental Guidance:

Organizations may implement tamper detection/prevention at selected hardware components or tamper detection at some components and tamper prevention at other components. Tamper detection/prevention activities can employ many types of anti-tamper technologies including, for example, tamper-detection seals and anti-tamper coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting and other supply chain-related risks.

RELATED CONTROLS: PE-3 (5)

PE-3 (6) PHYSICAL ACCESS CONTROL | FACILITY PENETRATION TESTING

The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility.

Supplemental Guidance: NONE

RELATED CONTROLS: PE-3 (6)

REFERENCES:

  • DoD Instruction 5200.39
  • FIPS Publication 201
  • ICD 704
  • ICD 705
  • NIST Special Publication 800-116
  • NIST Special Publication 800-73
  • NIST Special Publication 800-76
  • NIST Special Publication 800-78
  • Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)
  • http://fips201ep.cio.gov (Link no longer active)
  • http://idmanagement.gov

© 2017-2019 Wayfinder Digital, LLC. All Rights Reserved | Sitemap | The Fine Print — Terms of Use & Privacy