NIST 800-53 REV 5 • PHYSICAL AND ENVIRONMENTAL PROTECTION
PE-2 — Physical Access Authorizations
Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; Issue authorization credentials for facility access; Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and Remove individuals from the facility access list when access is no longer required.
Supplemental Guidance
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.
Practitioner Notes
You need a formal list of who is allowed physical access to the facility where your systems are located. This list must be reviewed regularly and credentials must be issued, updated, and revoked as people come and go.
Example 1: Maintain a physical access authorization list in a spreadsheet or access control system database. For each authorized person, record their name, role, access level (full facility vs. specific areas), badge number, and authorization date. Review the list quarterly and remove anyone who no longer needs access.
Example 2: Use a physical access control system (PACS) like Lenel, AMAG, or Honeywell to manage badge access. Integrate it with your HR system so when an employee is terminated, their badge is automatically deactivated. Run a monthly report of active badges and cross-reference against current employees.