SPARC

Physical and Environmental Protection

Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 94

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

PE-1

Physical and Environmental Protection Policy and Procedures 3 params

The organization: a. Develops, documents, and disseminates to {{ insert: param, pe-1_prm_1 }}: 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsi...

► View parameters

Param ID	Label	Constraint / Choices
pe-1_prm_1	organization-defined personnel or roles	Organization-defined
pe-1_prm_2	organization-defined frequency	Organization-defined
pe-1_prm_3	organization-defined frequency	Organization-defined

—

PE-2

Physical Access Authorizations 1 param

The organization: a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; b. Issues authorization credentials for...

► View parameters

Param ID	Label	Constraint / Choices
pe-2_prm_1	organization-defined frequency	Organization-defined

—

PE-2(1)

Access by Position / Role

The organization authorizes physical access to the facility where the information system resides based on position or role.

—

PE-2(2)

Two Forms of Identification 1 param

The organization requires two forms of identification from {{ insert: param, pe-2.2_prm_1 }} for visitor access to the facility where the information system resides.

► View parameters

Param ID	Label	Constraint / Choices
pe-2.2_prm_1	organization-defined list of acceptable forms of identification	Organization-defined

—

PE-2(3)

Restrict Unescorted Access 2 params

The organization restricts unescorted access to the facility where the information system resides to personnel with {{ insert: param, pe-2.3_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
pe-2.3_prm_1		Select one-or-more: security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; {{ insert: param, pe-2.3_prm_2 }}
pe-2.3_prm_2	organization-defined credentials	Organization-defined

—

PE-3

Physical Access Control 9 params

The organization: a. Enforces physical access authorizations at {{ insert: param, pe-3_prm_1 }} by; 1. Verifying individual access authorizations before granting access to the facility; and ...

► View parameters

Param ID	Label	Constraint / Choices
pe-3_prm_1	organization-defined entry/exit points to the facility where the information system resides	Organization-defined
pe-3_prm_2		Select one-or-more: {{ insert: param, pe-3_prm_3 }} ; guards
pe-3_prm_3	organization-defined physical access control systems/devices	Organization-defined
pe-3_prm_4	organization-defined entry/exit points	Organization-defined
pe-3_prm_5	organization-defined security safeguards	Organization-defined
pe-3_prm_6	organization-defined circumstances requiring visitor escorts and monitoring	Organization-defined
pe-3_prm_7	organization-defined physical access devices	Organization-defined
pe-3_prm_8	organization-defined frequency	Organization-defined
pe-3_prm_9	organization-defined frequency	Organization-defined

—

PE-3(1)

Information System Access 1 param

The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at {{ insert: param, pe-3.1_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
pe-3.1_prm_1	organization-defined physical spaces containing one or more components of the information system	Organization-defined

—

PE-3(2)

Facility / Information System Boundaries 1 param

The organization performs security checks {{ insert: param, pe-3.2_prm_1 }} at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of...

► View parameters

Param ID	Label	Constraint / Choices
pe-3.2_prm_1	organization-defined frequency	Organization-defined

—

PE-3(3)

Continuous Guards / Alarms / Monitoring

The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.

—

PE-3(4)

Lockable Casings 1 param

The organization uses lockable physical casings to protect {{ insert: param, pe-3.4_prm_1 }} from unauthorized physical access.

► View parameters

Param ID	Label	Constraint / Choices
pe-3.4_prm_1	organization-defined information system components	Organization-defined

—

PE-3(5)

Tamper Protection 3 params

The organization employs {{ insert: param, pe-3.5_prm_1 }} to {{ insert: param, pe-3.5_prm_2 }} physical tampering or alteration of {{ insert: param, pe-3.5_prm_3 }} within the information system.

► View parameters

Param ID	Label	Constraint / Choices
pe-3.5_prm_1	organization-defined security safeguards	Organization-defined
pe-3.5_prm_2		Select one-or-more: detect; prevent
pe-3.5_prm_3	organization-defined hardware components	Organization-defined

—

PE-3(6)

Facility Penetration Testing 1 param

The organization employs a penetration testing process that includes {{ insert: param, pe-3.6_prm_1 }}, unannounced attempts to bypass or circumvent security controls associated with physical acces...

► View parameters

Param ID	Label	Constraint / Choices
pe-3.6_prm_1	organization-defined frequency	Organization-defined

—

PE-4

Access Control for Transmission Medium 2 params

The organization controls physical access to {{ insert: param, pe-4_prm_1 }} within organizational facilities using {{ insert: param, pe-4_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
pe-4_prm_1	organization-defined information system distribution and transmission lines	Organization-defined
pe-4_prm_2	organization-defined security safeguards	Organization-defined

—

PE-5

Access Control for Output Devices

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

—

PE-5(1)

Access to Output by Authorized Individuals 1 param

The organization: (a) Controls physical access to output from {{ insert: param, pe-5.1_prm_1 }}; and (b) Ensures that only authorized individuals receive output from the device.

► View parameters

Param ID	Label	Constraint / Choices
pe-5.1_prm_1	organization-defined output devices	Organization-defined

—

PE-5(2)

Access to Output by Individual Identity 1 param

The information system: (a) Controls physical access to output from {{ insert: param, pe-5.2_prm_1 }}; and (b) Links individual identity to receipt of the output from the device.

► View parameters

Param ID	Label	Constraint / Choices
pe-5.2_prm_1	organization-defined output devices	Organization-defined

—

PE-5(3)

Marking Output Devices 1 param

The organization marks {{ insert: param, pe-5.3_prm_1 }} indicating the appropriate security marking of the information permitted to be output from the device.

► View parameters

Param ID	Label	Constraint / Choices
pe-5.3_prm_1	organization-defined information system output devices	Organization-defined

—

PE-6

Monitoring Physical Access 2 params

The organization: a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents; b. Reviews physical access logs {{ inser...

► View parameters

Param ID	Label	Constraint / Choices
pe-6_prm_1	organization-defined frequency	Organization-defined
pe-6_prm_2	organization-defined events or potential indications of events	Organization-defined

—

PE-6(1)

Intrusion Alarms / Surveillance Equipment

The organization monitors physical intrusion alarms and surveillance equipment.

—

PE-6(2)

Automated Intrusion Recognition / Responses 2 params

The organization employs automated mechanisms to recognize {{ insert: param, pe-6.2_prm_1 }} and initiate {{ insert: param, pe-6.2_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
pe-6.2_prm_1	organization-defined classes/types of intrusions	Organization-defined
pe-6.2_prm_2	organization-defined response actions	Organization-defined

—

PE-6(3)

Video Surveillance 2 params

The organization employs video surveillance of {{ insert: param, pe-6.3_prm_1 }} and retains video recordings for {{ insert: param, pe-6.3_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
pe-6.3_prm_1	organization-defined operational areas	Organization-defined
pe-6.3_prm_2	organization-defined time period	Organization-defined

—

PE-6(4)

Monitoring Physical Access to Information Systems 1 param

The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as {{ insert: param, pe-6.4_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
pe-6.4_prm_1	organization-defined physical spaces containing one or more components of the information system	Organization-defined

—

PE-7

Visitor Control

—

PE-8

Visitor Access Records 2 params

The organization: a. Maintains visitor access records to the facility where the information system resides for {{ insert: param, pe-8_prm_1 }}; and b. Reviews visitor access records {{ insert: ...

► View parameters

Param ID	Label	Constraint / Choices
pe-8_prm_1	organization-defined time period	Organization-defined
pe-8_prm_2	organization-defined frequency	Organization-defined

—

PE-8(1)

Automated Records Maintenance / Review

The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records.

—

PE-8(2)

Physical Access Records

—

PE-9

Power Equipment and Cabling

The organization protects power equipment and power cabling for the information system from damage and destruction.

—

PE-9(1)

Redundant Cabling 1 param

The organization employs redundant power cabling paths that are physically separated by {{ insert: param, pe-9.1_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
pe-9.1_prm_1	organization-defined distance	Organization-defined

—

PE-9(2)

Automatic Voltage Controls 1 param

The organization employs automatic voltage controls for {{ insert: param, pe-9.2_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
pe-9.2_prm_1	organization-defined critical information system components	Organization-defined

—

PE-10

Emergency Shutoff 1 param

The organization: a. Provides the capability of shutting off power to the information system or individual system components in emergency situations; b. Places emergency shutoff switches or dev...

► View parameters

Param ID	Label	Constraint / Choices
pe-10_prm_1	organization-defined location by information system or system component	Organization-defined

—

PE-10(1)

Accidental / Unauthorized Activation

—

└ pe-10a

Provides the capability of shutting off power to the information system or individual system components in emergency situations;

—

└ pe-10b

Places emergency shutoff switches or devices in {{ insert: param, pe-10_prm_1 }} to facilitate safe and easy access for personnel; and

—

└ pe-10c

Protects emergency power shutoff capability from unauthorized activation.

—

PE-11

Emergency Power 1 param

The organization provides a short-term uninterruptible power supply to facilitate {{ insert: param, pe-11_prm_1 }} in the event of a primary power source loss.

► View parameters

Param ID	Label	Constraint / Choices
pe-11_prm_1		Select one-or-more: an orderly shutdown of the information system; transition of the information system to long-term alternate power

—

PE-11(1)

Long-term Alternate Power Supply - Minimal Operational Capability

The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of ...

—

PE-11(2)

Long-term Alternate Power Supply - Self-contained 1 param

The organization provides a long-term alternate power supply for the information system that is: (a) Self-contained; (b) Not reliant on external power generation; and (c) Capable of maintaini...

► View parameters

Param ID	Label	Constraint / Choices
pe-11.2_prm_1		Select one: minimally required operational capability; full operational capability

—

└ pe-11.2.(a)

Self-contained;

—

└ pe-11.2.(b)

Not reliant on external power generation; and

—

└ pe-11.2.(c)

Capable of maintaining {{ insert: param, pe-11.2_prm_1 }} in the event of an extended loss of the primary power source.

—

PE-12

Emergency Lighting

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacua...

—

PE-12(1)

Essential Missions / Business Functions

The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.

—

PE-13

Fire Protection

The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

—

PE-13(1)

Detection Devices / Systems 2 params

The organization employs fire detection devices/systems for the information system that activate automatically and notify {{ insert: param, pe-13.1_prm_1 }} and {{ insert: param, pe-13.1_prm_2 }} i...

► View parameters

Param ID	Label	Constraint / Choices
pe-13.1_prm_1	organization-defined personnel or roles	Organization-defined
pe-13.1_prm_2	organization-defined emergency responders	Organization-defined

—

PE-13(2)

Suppression Devices / Systems 2 params

The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to {{ insert: param, pe-13.2_prm_1 }} and {{ insert: param...

► View parameters

Param ID	Label	Constraint / Choices
pe-13.2_prm_1	organization-defined personnel or roles	Organization-defined
pe-13.2_prm_2	organization-defined emergency responders	Organization-defined

—

PE-13(3)

Automatic Fire Suppression

The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

—

PE-13(4)

Inspections 2 params

The organization ensures that the facility undergoes {{ insert: param, pe-13.4_prm_1 }} inspections by authorized and qualified inspectors and resolves identified deficiencies within {{ insert: par...

► View parameters

Param ID	Label	Constraint / Choices
pe-13.4_prm_1	organization-defined frequency	Organization-defined
pe-13.4_prm_2	organization-defined time period	Organization-defined

—

PE-14

Temperature and Humidity Controls 2 params

The organization: a. Maintains temperature and humidity levels within the facility where the information system resides at {{ insert: param, pe-14_prm_1 }}; and b. Monitors temperature and humi...

► View parameters

Param ID	Label	Constraint / Choices
pe-14_prm_1	organization-defined acceptable levels	Organization-defined
pe-14_prm_2	organization-defined frequency	Organization-defined

—

PE-14(1)

Automatic Controls

The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.

—

PE-14(2)

Monitoring with Alarms / Notifications

The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.

—

└ pe-14a

Maintains temperature and humidity levels within the facility where the information system resides at {{ insert: param, pe-14_prm_1 }}; and

—

└ pe-14b

Monitors temperature and humidity levels {{ insert: param, pe-14_prm_2 }}.

—

PE-15

Water Damage Protection

The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key per...

—

PE-15(1)

Automation Support 1 param

The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts {{ insert: param, pe-15.1_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
pe-15.1_prm_1	organization-defined personnel or roles	Organization-defined

—

PE-16

Delivery and Removal 1 param

The organization authorizes, monitors, and controls {{ insert: param, pe-16_prm_1 }} entering and exiting the facility and maintains records of those items.

► View parameters

Param ID	Label	Constraint / Choices
pe-16_prm_1	organization-defined types of information system components	Organization-defined

—

PE-17

Alternate Work Site 1 param

The organization: a. Employs {{ insert: param, pe-17_prm_1 }} at alternate work sites; b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and c. Provides...

► View parameters

Param ID	Label	Constraint / Choices
pe-17_prm_1	organization-defined security controls	Organization-defined

—

└ pe-17a

Employs {{ insert: param, pe-17_prm_1 }} at alternate work sites;

—

└ pe-17b

Assesses as feasible, the effectiveness of security controls at alternate work sites; and

—

└ pe-17c

Provides a means for employees to communicate with information security personnel in case of security incidents or problems.

—

PE-18

Location of Information System Components 1 param

The organization positions information system components within the facility to minimize potential damage from {{ insert: param, pe-18_prm_1 }} and to minimize the opportunity for unauthorized access.

► View parameters

Param ID	Label	Constraint / Choices
pe-18_prm_1	organization-defined physical and environmental hazards	Organization-defined

—

PE-18(1)

Facility Site

The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physica...

—

PE-19

Information Leakage

The organization protects the information system from information leakage due to electromagnetic signals emanations.

—

PE-19(1)

National Emissions / Tempest Policies and Procedures

The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures bas...

—

└ pe-1a

Develops, documents, and disseminates to {{ insert: param, pe-1_prm_1 }}:

—

└ pe-1a.1

A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among or...

—

└ pe-1a.2

Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protectio...

—

└ pe-1b

Reviews and updates the current:

—

└ pe-1b.1

Physical and environmental protection policy {{ insert: param, pe-1_prm_2 }}; and

—

└ pe-1b.2

Physical and environmental protection procedures {{ insert: param, pe-1_prm_3 }}.

—

PE-20

Asset Monitoring and Tracking 3 params

The organization: a. Employs {{ insert: param, pe-20_prm_1 }} to track and monitor the location and movement of {{ insert: param, pe-20_prm_2 }} within {{ insert: param, pe-20_prm_3 }}; and b. ...

► View parameters

Param ID	Label	Constraint / Choices
pe-20_prm_1	organization-defined asset location technologies	Organization-defined
pe-20_prm_2	organization-defined assets	Organization-defined
pe-20_prm_3	organization-defined controlled areas	Organization-defined

—

└ pe-20a

Employs {{ insert: param, pe-20_prm_1 }} to track and monitor the location and movement of {{ insert: param, pe-20_prm_2 }} within {{ insert: param...

—

└ pe-20b

Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, polici...

—

└ pe-2a

Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;

—

└ pe-2b

Issues authorization credentials for facility access;

—

└ pe-2c

Reviews the access list detailing authorized facility access by individuals {{ insert: param, pe-2_prm_1 }}; and

—

└ pe-2d

Removes individuals from the facility access list when access is no longer required.

—

└ pe-3a

Enforces physical access authorizations at {{ insert: param, pe-3_prm_1 }} by;

—

└ pe-3a.1

Verifying individual access authorizations before granting access to the facility; and

—

└ pe-3a.2

Controlling ingress/egress to the facility using {{ insert: param, pe-3_prm_2 }};

—

└ pe-3b

Maintains physical access audit logs for {{ insert: param, pe-3_prm_4 }};

—

└ pe-3c

Provides {{ insert: param, pe-3_prm_5 }} to control access to areas within the facility officially designated as publicly accessible;

—

└ pe-3d

Escorts visitors and monitors visitor activity {{ insert: param, pe-3_prm_6 }};

—

└ pe-3e

Secures keys, combinations, and other physical access devices;

—

└ pe-3f

Inventories {{ insert: param, pe-3_prm_7 }} every {{ insert: param, pe-3_prm_8 }}; and

—

└ pe-3g

Changes combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or individuals are transferr...

—

└ pe-5.1.(a)

Controls physical access to output from {{ insert: param, pe-5.1_prm_1 }}; and

—

└ pe-5.1.(b)

Ensures that only authorized individuals receive output from the device.

—

└ pe-5.2.(a)

Controls physical access to output from {{ insert: param, pe-5.2_prm_1 }}; and

—

└ pe-5.2.(b)

Links individual identity to receipt of the output from the device.

—

└ pe-6a

Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

—

└ pe-6b

Reviews physical access logs {{ insert: param, pe-6_prm_1 }} and upon occurrence of {{ insert: param, pe-6_prm_2 }}; and

—

└ pe-6c

Coordinates results of reviews and investigations with the organizational incident response capability.

—

└ pe-8a

Maintains visitor access records to the facility where the information system resides for {{ insert: param, pe-8_prm_1 }}; and

—

└ pe-8b

Reviews visitor access records {{ insert: param, pe-8_prm_2 }}.

—