NIST 800-53 REV 5 • PHYSICAL AND ENVIRONMENTAL PROTECTION
PE-3 — Physical Access Control
Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by: Verifying individual access authorizations before granting access to the facility; and Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }}; Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }}; Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }}; Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }}; Secure keys, combinations, and other physical access devices; Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
Supplemental Guidance
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
Practitioner Notes
Physical access controls enforce your access authorization decisions at the door. This means locks, badge readers, guards, or other mechanisms that verify someone is authorized before letting them in.
Example 1: Install electronic badge readers at all entry points to your facility and server room. Configure the system to log every access (granted and denied). Require badge + PIN for high-security areas like the server room. Test all door hardware quarterly to ensure locks and readers function properly.
Example 2: For a smaller office, use commercial-grade electronic locks (like Kaba, Schlage, or HID) with access logging. Change access codes regularly and immediately when an employee departs. Install a deadbolt backup in case the electronic system fails. Maintain a physical key log for any keyed entry points.