PE-3 Physical Access Control

Description

This Control applies to organizational employees and visitors.

Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors.

Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users.

Physical access devices include, for example, keys, locks, combinations, and card readers.

Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas.

Physical access control systems comply with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems.

Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof.

Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.

Applicability

This Control applies to facilities that house information systems (e.g., data centers, server rooms or closets) considered mission critical and which require a higher level of security due to the nature of one of the following:

1. type of equipment
2. type of data the equipment stores

Responsibility for ensuring physical security to information resources may be part of the job function for departmental staff who may include, but not be limited to, information technology staff, information resource custodians, facility coordinators, supervisors, managers, and others.

Implementation

Director of Infrastructure or his or her designated representative(s) shall control all physical access points (including designated entry/exit points) to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facility:

1. Enforces physical access authorizations at entry/exit points to the facility where the information system resides by;
   1. Verifying individual access authorizations before granting access to the facility; and
   2. Controlling ingress/egress to the facility using;
2. Maintains physical access audit logs for Dugan data center;
3. Provides entry access cards, video surveillance, and manual entry logs to control access to areas within the facility officially designated as publicly accessible;
4. Escorts visitors and monitors visitor activity when circumstances requiring visitor escorts and monitoring (e.g., entering areas that may contain controlled or confidential information);
5. Secures and maintains the inventory of keys, combinations, and other physical access devices and validates that inventory annually; and
6. Changes combinations on access cards when access cards are lost, combinations are compromised, or individuals are transferred or terminated. In cases where locks that use "Do Not Duplicate” facility keys are lost, or individuals fail to turn in during transfer or termination, those locks will be changed and keys re-issued to appropriate, authorized personnel.

Revision History

Last Updated: February 21, 2025

Previous Versions:

• June 29, 2023
• May 31, 2022
• March 25, 2021
• September 16, 2019