PE 2 PHYSICAL ACCESS AUTHORIZATIONS - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;
• b. Issue authorization credentials for facility access;
• c. Review the access list detailing authorized facility access by individuals [ Assignment: organization-defined frequency ]; and
• d. Remove individuals from the facility access list when access is no longer required.

Discussion: Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.

Related Controls: AT-3, AU-9, IA-4, MA-5, MP-2, PE-3, PE-4, PE-5, PE-8, PM-12, PS-3, PS-4, PS-5, PS-6.

Control Enhancements:

• (1) PHYSICAL ACCESS AUTHORIZATIONS | ACCESS BY POSITION OR ROLE
  Authorize physical access to the facility where the system resides based on position or role.

  Discussion: Role-based facility access includes access by authorized permanent and regular/routine maintenance personnel, duty officers, and emergency medical staff.

  Related Controls: AC-2, AC-3, AC-6.

• (2) PHYSICAL ACCESS AUTHORIZATIONS | TWO FORMS OF IDENTIFICATION
  Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: [ Assignment: organization-defined list of acceptable forms of identification ].

  Discussion: Acceptable forms of identification include passports, REAL ID-compliant drivers’ licenses, and Personal Identity Verification (PIV) cards. For gaining access to facilities using automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics.

  Related Controls: IA-2, IA -4, IA -5.

• (3) PHYSICAL ACCESS AUTHORIZATIONS | RESTRICT UNESCORTED ACCESS
  Restrict unescorted access to the facility where the system resides to personnel with [ Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [ Assignment: organization-defined physical access authorizations ]].

  Discussion: Individuals without required security clearances, access approvals, or need to know are escorted by individuals with appropriate physical access authorizations to ensure that information is not exposed or otherwise compromised.

  Related Controls: PS-2, PS-6.

References: [FIPS 201-2], [SP 800-73-4], [SP 800-76-2], [SP 800-78-4].