NIST 800-53 REV 5 • PHYSICAL AND ENVIRONMENTAL PROTECTION

PE-2(1)Access by Position or Role

Authorize physical access to the facility where the system resides based on position or role.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Role-based facility access includes access by authorized permanent and regular/routine maintenance personnel, duty officers, and emergency medical staff.

Practitioner Notes

Instead of (or in addition to) authorizing access for specific individuals, you can authorize access based on position or role. For example, all IT administrators get server room access, all executives get executive suite access.

Example 1: Define access levels tied to job roles in your access control system: 'IT Staff' gets server room access, 'All Employees' get general office access, 'Executives' get the executive floor. When someone changes roles, update their access profile to match their new position.

Example 2: Document role-based physical access in a matrix showing which roles can access which areas. Include this matrix in your physical security procedures. When a new employee is onboarded, HR provides their role and your badge administrator grants the corresponding access profile.

More Physical and Environmental Protection Controls

PE-1 Policy and Procedures PE-2 Physical Access Authorizations PE-2(2) Two Forms of Identification PE-2(3) Restrict Unescorted Access