NIST 800-53 REV 5 • PHYSICAL AND ENVIRONMENTAL PROTECTION

PE-16Delivery and Removal

Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and Maintain records of the system components.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.

Practitioner Notes

When IT equipment enters or leaves your facility, it must be authorized, controlled, and recorded. You need to know what hardware came in, what went out, and who authorized the movement.

Example 1: Create an equipment delivery and removal form that records the item description, serial number, sender/recipient, purpose, authorizing manager, and date. Require this form to be completed and approved before any equipment passes through your doors. Maintain these records in your asset management system.

Example 2: Use an asset management tool (Snipe-IT, ServiceNow, or even a spreadsheet) to track all hardware assets. When equipment arrives, receive it into inventory with a photo and serial number. When equipment leaves, record the authorization, destination, and reason. Reconcile your physical inventory against your records quarterly.

More Physical and Environmental Protection Controls

PE-1 Policy and Procedures PE-2 Physical Access Authorizations PE-2(1) Access by Position or Role PE-2(2) Two Forms of Identification