Physical and environmental protection
Estimated reading time: 13 minutesPE-1 Physical And Environmental Protection Policy And Procedures
Description
The organization:
- Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
- Reviews and updates the current:
- Physical and environmental protection policy [Assignment: organization-defined frequency]; and
- Physical and environmental protection procedures [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
PE-2 Physical Access Authorizations
Description
The organization:
- Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
- Issues authorization credentials for facility access;
- Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
- Removes individuals from the facility access list when access is no longer required.
Control Information
Responsible role(s) - Organization
PE-2 (1) Access By Position / Role
Description
The organization authorizes physical access to the facility where the information system resides based on position or role.
Control Information
Responsible role(s) - Organization
PE-2 (2) Two Forms Of Identification
Description
The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides.
Control Information
Responsible role(s) - Organization
PE-2 (3) Restrict Unescorted Access
Description
The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]].
Control Information
Responsible role(s) - Organization
PE-3 Physical Access Control
Description
The organization:
- Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
- Verifying individual access authorizations before granting access to the facility; and
- Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
- Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
- Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
- Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
- Secures keys, combinations, and other physical access devices;
- Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
- Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Control Information
Responsible role(s) - Organization
PE-3 (1) Information System Access
Description
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].
Control Information
Responsible role(s) - Organization
PE-3 (2) Facility / Information System Boundaries
Description
The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.
Control Information
Responsible role(s) - Organization
PE-3 (3) Continuous Guards / Alarms / Monitoring
Description
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.
Control Information
Responsible role(s) - Organization
PE-3 (4) Lockable Casings
Description
The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access.
Control Information
Responsible role(s) - Organization
PE-3 (5) Tamper Protection
Description
The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the information system.
Control Information
Responsible role(s) - Organization
PE-3 (6) Facility Penetration Testing
Description
The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility.
Control Information
Responsible role(s) - Organization
PE-4 Access Control For Transmission Medium
Description
The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].
Control Information
Responsible role(s) - Organization
PE-5 Access Control For Output Devices
Description
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
Control Information
Responsible role(s) - Organization
PE-5 (1) Access To Output By Authorized Individuals
Description
The organization:
- Controls physical access to output from [Assignment: organization-defined output devices]; and
- Ensures that only authorized individuals receive output from the device.
Control Information
Responsible role(s) - Organization
PE-5 (2) Access To Output By Individual Identity
Description
The information system:
- Controls physical access to output from [Assignment: organization-defined output devices]; and
- Links individual identity to receipt of the output from the device.
Control Information
Responsible role(s) - Organization
PE-5 (3) Marking Output Devices
Description
The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device.
Control Information
Responsible role(s) - Organization
PE-6 Monitoring Physical Access
Description
The organization:
- Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
- Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
- Coordinates results of reviews and investigations with the organizational incident response capability.
Control Information
Responsible role(s) - Organization
PE-6 (1) Intrusion Alarms / Surveillance Equipment
Description
The organization monitors physical intrusion alarms and surveillance equipment.
Control Information
Responsible role(s) - Organization
PE-6 (2) Automated Intrusion Recognition / Responses
Description
The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions].
Control Information
Responsible role(s) - Organization
PE-6 (3) Video Surveillance
Description
The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period].
Control Information
Responsible role(s) - Organization
PE-6 (4) Monitoring Physical Access To Information Systems
Description
The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].
Control Information
Responsible role(s) - Organization
PE-8 Visitor Access Records
Description
The organization:
- Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
- Reviews visitor access records [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
PE-8 (1) Automated Records Maintenance / Review
Description
The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.
Control Information
Responsible role(s) - Organization
PE-9 Power Equipment And Cabling
Description
The organization protects power equipment and power cabling for the information system from damage and destruction.
Control Information
Responsible role(s) - Organization
PE-9 (1) Redundant Cabling
Description
The organization employs redundant power cabling paths that are physically separated by [Assignment: organization-defined distance].
Control Information
Responsible role(s) - Organization
PE-9 (2) Automatic Voltage Controls
Description
The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components].
Control Information
Responsible role(s) - Organization
PE-10 Emergency Shutoff
Description
The organization:
- Provides the capability of shutting off power to the information system or individual system components in emergency situations;
- Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
- Protects emergency power shutoff capability from unauthorized activation.
Control Information
Responsible role(s) - Organization
PE-11 Emergency Power
Description
The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss.
Control Information
Responsible role(s) - Organization
PE-11 (1) Long-Term Alternate Power Supply - Minimal Operational Capability
Description
The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
Control Information
Responsible role(s) - Organization
PE-11 (2) Long-Term Alternate Power Supply - Self-Contained
Description
The organization provides a long-term alternate power supply for the information system that is:
- Self-contained;
- Not reliant on external power generation; and
- Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source.
Control Information
Responsible role(s) - Organization
PE-12 Emergency Lighting
Description
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
Control Information
Responsible role(s) - Organization
PE-12 (1) Essential Missions / Business Functions
Description
The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.
Control Information
Responsible role(s) - Organization
PE-13 Fire Protection
Description
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
Control Information
Responsible role(s) - Organization
PE-13 (1) Detection Devices / Systems
Description
The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
Control Information
Responsible role(s) - Organization
PE-13 (2) Suppression Devices / Systems
Description
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].
Control Information
Responsible role(s) - Organization
PE-13 (3) Automatic Fire Suppression
Description
The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.
Control Information
Responsible role(s) - Organization
PE-13 (4) Inspections
Description
The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period].
Control Information
Responsible role(s) - Organization
PE-14 Temperature And Humidity Controls
Description
The organization:
- Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and
- Monitors temperature and humidity levels [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
PE-14 (1) Automatic Controls
Description
The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.
Control Information
Responsible role(s) - Organization
PE-14 (2) Monitoring With Alarms / Notifications
Description
The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.
Control Information
Responsible role(s) - Organization
PE-15 Water Damage Protection
Description
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
Control Information
Responsible role(s) - Organization
PE-15 (1) Automation Support
Description
The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles].
Control Information
Responsible role(s) - Organization
PE-16 Delivery And Removal
Description
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items.
Control Information
Responsible role(s) - Organization
PE-17 Alternate Work Site
Description
The organization:
- Employs [Assignment: organization-defined security controls] at alternate work sites;
- Assesses as feasible, the effectiveness of security controls at alternate work sites; and
- Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
Control Information
Responsible role(s) - Organization
PE-18 Location Of Information System Components
Description
The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.
Control Information
Responsible role(s) - Organization
PE-18 (1) Facility Site
Description
The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy.
Control Information
Responsible role(s) - Organization
PE-19 Information Leakage
Description
The organization protects the information system from information leakage due to electromagnetic signals emanations.
Control Information
Responsible role(s) - Organization
PE-19 (1) National Emissions / Tempest Policies And Procedures
Description
The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information.
Control Information
Responsible role(s) - Organization
PE-20 Asset Monitoring And Tracking
Description
The organization:
- Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and
- Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.
Control Information
Responsible role(s) - Organization