PE-2

PE-2 PHYSICAL ACCESS AUTHORIZATIONS

Overview

Number	Title	Impact	Priority	Subject Area
PE-2	Physical Access Authorizations	LOW	P1	Physical And Environmental Protection

Instructions
The organization: PE-2a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; PE-2b. Issues authorization credentials for facility access; PE-2c. Reviews the access list detailing authorized facility access by individuals Assignment: organization-defined frequency; and PE-2d. Removes individuals from the facility access list when access is no longer required.

Instructions

The organization:

PE-2a.

Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;

PE-2b.

Issues authorization credentials for facility access;

PE-2c.

Reviews the access list detailing authorized facility access by individuals Assignment: organization-defined frequency; and

PE-2d.

Removes individuals from the facility access list when access is no longer required.

Guidance
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.

Guidance

This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.

Enhancements

PE-2 (1) Access By Position / Role

The organization authorizes physical access to the facility where the information system resides based on position or role.

PE-2 (2) Two Forms Of Identification

Acceptable forms of government photo identification include, for example, passports, Personal Identity Verification (PIV) cards, and drivers� licenses. In the case of gaining access to facilities using automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics.

The organization requires two forms of identification from Assignment: organization-defined list of acceptable forms of identification for visitor access to the facility where the information system resides.

PE-2 (3) Restrict Unescorted Access

Due to the highly sensitive nature of classified information stored within certain facilities, it is important that individuals lacking sufficient security clearances, access approvals, or need to know, be escorted by individuals with appropriate credentials to ensure that such information is not exposed or otherwise compromised.

The organization restricts unescorted access to the facility where the information system resides to personnel with Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; Assignment: organization-defined credentials.