NIST 800-53 REV 5 • PHYSICAL AND ENVIRONMENTAL PROTECTION

PE-23Facility Location

Plan the location or site of the facility where the system resides considering physical and environmental hazards; and For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. The location of system components within the facility is addressed in [PE-18](#pe-18).

Practitioner Notes

When selecting a location for your facility, consider physical and environmental hazards — floods, earthquakes, tornadoes, industrial accidents, and other threats — that could disrupt operations or damage your systems.

Example 1: Before establishing a new facility, conduct a site risk assessment that evaluates: FEMA flood zone designation, seismic activity, proximity to chemical or industrial facilities, crime rates, proximity to airports or rail lines, and historical weather patterns. Document findings and mitigation measures.

Example 2: For existing facilities, review your location risk periodically — new construction, zoning changes, or climate pattern shifts can change your risk profile. Work with your insurance provider to identify site-specific risks and ensure your business continuity plan accounts for location-based threats. Update your risk assessment at least every three years.

More Physical and Environmental Protection Controls

PE-1 Policy and Procedures PE-2 Physical Access Authorizations PE-2(1) Access by Position or Role PE-2(2) Two Forms of Identification