PE-3: Physical Access Control

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:

Threats Addressed:


  • Low
    • PE-3
  • Moderate
    • PE-3
  • High
  • Privacy


Previous Version:

Control Statement

  1. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by:
    1. Verifying individual access authorizations before granting access to the facility; and
    2. Controlling ingress and egress to the facility using [Assignment (one or more): [Assignment: organization-defined physical access control systems or devices] , guards];
  2. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points];
  3. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls];
  4. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity];
  5. Secure keys, combinations, and other physical access devices;
  6. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
  7. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

Supplemental Guidance

Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.

Control Enhancements

PE-3(1): System Access


  • High

Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the system].

PE-3(2): Facility and Systems


(Not part of any baseline)

Perform security checks [Assignment: organization-defined frequency] at the physical perimeter of the facility or system for exfiltration of information or removal of system components.

PE-3(3): Continuous Guards


(Not part of any baseline)

Employ guards to control [Assignment: organization-defined physical access points] to the facility where the system resides 24 hours per day, 7 days per week.

PE-3(4): Lockable Casings


(Not part of any baseline)

Use lockable physical casings to protect [Assignment: organization-defined system components] from unauthorized physical access.

PE-3(5): Tamper Protection


(Not part of any baseline)

Employ [Assignment: organization-defined anti-tamper technologies] to [Assignment (one or more): detect, prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the system.

PE-3(8): Access Control Vestibules


(Not part of any baseline)

Employ access control vestibules at [Assignment: organization-defined locations within the facility].