NIST 800-53 REV 5 • PHYSICAL AND ENVIRONMENTAL PROTECTION

PE-18Location of System Components

Position system components within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information.

Practitioner Notes

Where you place your systems within a facility matters. Position equipment to minimize exposure to physical threats (water, fire, windows, high-traffic areas) and unauthorized access.

Example 1: Do not put servers in the basement (flood risk) or top floor (roof leak risk) if you can avoid it. Place server rooms in interior spaces away from exterior walls and windows. Position network equipment away from loading docks, kitchens, and restrooms where water and foot traffic are high.

Example 2: When designing or renovating your IT spaces, work with facilities to ensure server rooms are not adjacent to wet areas (restrooms, kitchens, mechanical rooms with chillers). Position monitors to prevent shoulder surfing from windows or public areas. Document location decisions in your facility security plan.

More Physical and Environmental Protection Controls

PE-1 Policy and Procedures PE-2 Physical Access Authorizations PE-2(1) Access by Position or Role PE-2(2) Two Forms of Identification