ARTIFACTS
PE: PHYSICAL & ENVIRONMENTAL PROTECTION
What's On This Page
Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.
Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.
The Source of the Artifacts
The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.
Essential Artifacts for Risk-Based Cybersecurity Programs
This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for Physical & Environmental Protection; and documents that are widely used in the assessment of controls and control enhancements in the Physical & Environmental Protection family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.
| CORE ARTIFACTS |
| WIDELY USED ARTIFACTS FOR PHYSICAL & ENVIRONMENTAL PROTECTION (PE) |
| PHYSICAL & ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE) |
| Physical & Environmental Protection policy |
| Information system design documentation |
| Information system configuration settings and associated documentation |
| Information system audit records |
Security Authorization Package Documents:
|
| ESSENTIALS |
| ACCESS CONTROL POLICY & PROCEDURES (AC) |
| Asset Inventory |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU) | Configuration Management Plan |
| CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM) |
Contingency Plan
|
| CONTINGENCY PLANNING POLICY & PROCEDURES (CP) |
| Continuous Monitoring Strategy |
| Continuous Monitoring Plan |
| Enterprise Architecture (EA) |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA) |
| INCIDENT RESPONSE POLICY & PROCEDURES (IR) |
| INFORMATION SECURITY PROGRAM PLAN (PM) |
| MEDIA PROTECTION POLICY & PROCEDURES (MP) |
| PERSONNEL SECURITY POLICY & PROCEDURES (PS) |
| PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE) |
| Privacy Impact Assessment |
| Privacy Program Plan |
| Risk Assessment |
| RISK ASSESSMENT POLICY & PROCEDURES (RA) |
| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA) |
| SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT) |
| Security Configurations |
| SECURITY PLANNING POLICY & PROCEDURES (PL) |
| SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC) |
| SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI) |
| SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA) |
| System Interconnection Agreements |
| SYSTEM MAINTENANCE POLICY & PROCEDURES (MA) |
Policy & Procedures
Here you'll find a catalog of Physical & Environmental Protection (PE) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| POLICES & PROCEDURES | APPLICABLE CONTROL(S) |
| Physical and environmental protection POLICY & PROCEDURES | PE-1 |
| Procedures addressing access control for display medium XXX | PE-5 |
| Procedures addressing access control for transmission medium | PE-4 |
| Procedures addressing alternate work sites for organizational personnel | PE-17 |
| Procedures addressing asset monitoring and tracking | PE-20 |
| Procedures addressing delivery and removal of information system components from the facility | PE-16 |
| Procedures addressing emergency lighting | PE-12 PE-12 (1) |
| Procedures addressing emergency power | PE-11 PE-11 (1) PE-11 (2) |
| Procedures addressing fire protection | PE-13 PE-13 (1) PE-13 (2) PE-13 (3) PE-13 (4) |
| Procedures addressing information leakage due to electromagnetic signals emanations | PE-19 |
| Procedures addressing information leakage that comply with national emissions and TEMPEST policies and procedures | PE-19 (1) |
| Procedures addressing penetration testing | PE-3 (6) |
| Procedures addressing physical access authorizations | PE-2 PE-2 (1) PE-2 (2) PE-2 (3) |
| Procedures addressing physical access control | PE-3 PE-3 (1) PE-3 (2) PE-3 (3) PE-6 (4) PE-3 (5) PE-3 (6) |
| Procedures addressing physical access control | PE-5 (1) PE-5 (2) PE-5 (3) |
| Procedures addressing physical access monitoring | PE-6 PE-6 (1) PE-6 (2) PE-6 (3) PE-6 (4) |
| Procedures addressing positioning of information system components | PE-18 |
| Procedures addressing power equipment/cabling protection | PE-9 PE-9 (1) |
| Procedures addressing power source emergency shutoff | PE-10 |
| Procedures addressing temperature and humidity control | PE-14 PE-14 (1) PE-14 (2) |
| Procedures addressing visitor access records | PE-8 PE-8 (1) |
| Procedures addressing voltage control | PE-9 (2) |
| Procedures addressing water damage protection | PE-15 PE-15 (1) |
Evidence, Records & Artifacts
Here you'll find a catalog of Physical & Environmental Protection (PE) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| ARTIFACT | APPLICABLE CONTROL(S) |
| Physical and environmental protection POLICY & PROCEDURES | PE-1 |
| Procedures addressing access control for display medium XXX | PE-5 |
| Procedures addressing access control for transmission medium | PE-4 |
| Procedures addressing alternate work sites for organizational personnel | PE-17 |
| Procedures addressing asset monitoring and tracking | PE-20 |
| Procedures addressing delivery and removal of information system components from the facility | PE-16 |
| Procedures addressing emergency lighting | PE-12 PE-12 (1) |
| Procedures addressing emergency power | PE-11 PE-11 (1) PE-11 (2) |
| Procedures addressing fire protection | PE-13 PE-13 (1) PE-13 (2) PE-13 (3) PE-13 (4) |
| Procedures addressing information leakage due to electromagnetic signals emanations | PE-19 |
| Procedures addressing information leakage that comply with national emissions and TEMPEST policies and procedures | PE-19 (1) |
| Procedures addressing penetration testing | PE-3 (6) |
| Procedures addressing physical access authorizations | PE-2 PE-2 (1) PE-2 (2) PE-2 (3) |
| Procedures addressing physical access control | PE-3 PE-3 (1) PE-3 (2) PE-3 (3) PE-6 (4) PE-3 (5) PE-3 (6) |
| Procedures addressing physical access control | PE-5 (1) PE-5 (2) PE-5 (3) |
| Procedures addressing physical access monitoring | PE-6 PE-6 (1) PE-6 (2) PE-6 (3) PE-6 (4) |
| Procedures addressing positioning of information system components | PE-18 |
| Procedures addressing power equipment/cabling protection | PE-9 PE-9 (1) |
| Procedures addressing power source emergency shutoff | PE-10 |
| Procedures addressing temperature and humidity control | PE-14 PE-14 (1) PE-14 (2) |
| Procedures addressing visitor access records | PE-8 PE-8 (1) |
| Procedures addressing voltage control | PE-9 (2) |
| Procedures addressing water damage protection | PE-15 PE-15 (1) |
Physical & Environmental Protection Related Lists
These are the Physical & Environmental Protection (PE) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.
| LIST | APPLICABLE CONTROL(S) |
| Authorized personnel access list | PE-2 PE-2 (3) |
| List of acceptable forms of identification for visitor access to the facility where information system resides | PE-2 (2) |
| List of areas within the facility containing concentrations of information system components or information system components requiring additional physical access monitoring | PE-6 (4) |
| List of areas within the facility containing concentrations of information system components or information system components requiring additional physical protection | PE-3 (1) |
| List of critical information system components requiring automatic voltage controls | PE-9 (2) |
| List of information system components requiring protection through lockable physical casings | PE-3 (4) |
| List of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system | PE-15 |
| List of organizational assets requiring tracking and monitoring | PE-20 |
| List of output devices and associated outputs requiring physical access controls | PE-5 (1) |
| List of output devices and associated outputs requiring physical access controls | PE-5 (2) |
| List of physical and environmental hazards with potential to damage information system components within the facility | PE-18 |
| List of physical security safeguards applied to information system distribution and transmission lines | PE-4 |
| List of positions/roles and corresponding physical access authorizations | PE-2 (1) |
| List of response actions to be initiated when specific classes/types of intrusions are recognized | PE-6 (2) |
| List of security controls required for alternate work sites | PE-17 |
| List of security safeguards controlling access to designated publicly accessible areas within facility | PE-3 |
| List of security safeguards to detect/prevent physical tampering or alteration of information system hardware components | PE-3 (5) |