Physical Access Control

To meet the physical access control requirement, you must enforce access authorizations at every defined facility entry/exit where the system resides, verify a person’s authorization before admitting them, and control ingress and egress with defined controls. Build this into day-to-day operations with documented roles, approved access lists, visitor handling, and reviewable logs. (NIST Special Publication 800-53 Revision 5)

Key takeaways:

• Define your “entry/exit points,” then enforce verification at each one, every time. (NIST Special Publication 800-53 Revision 5)
• Prove it with artifacts: access authorizations, badges/keys issuance records, visitor logs, and physical access event logs. (NIST Special Publication 800-53 Revision 5)
• Audits fail on gaps between policy and reality: inconsistent enforcement, stale access lists, and missing logs are common findings. (NIST Special Publication 800-53 Revision 5)

Physical access control is an operational requirement that examiners treat as “show me” compliance. If your system runs in a facility (data center, corporate office with on-prem infrastructure, cage/closet, or co-location space), your obligation is to control who can physically reach it and to demonstrate that control through repeatable processes and records. The requirement is not satisfied by having a lock on the door; it requires that you (1) define which doors and pathways matter, (2) verify authorization before granting entry, and (3) actively control ingress and egress using your chosen controls. (NIST Special Publication 800-53 Revision 5)

For FedRAMP-aligned programs, this maps directly to NIST SP 800-53 Rev. 5 control PE-3. You should expect assessor scrutiny on two areas: (a) whether your authorization decisions are explicit (who is approved, for what, and why), and (b) whether enforcement is consistent across all relevant entry/exit points, including after-hours and third-party access. (NIST Special Publication 800-53 Revision 5)

The guidance below is written to help a CCO or GRC lead turn PE-3 into an implementable control set with clear ownership, procedures, and audit-ready evidence.

Regulatory text

Requirement (PE-3): “Enforce physical access authorizations at organization-defined entry and exit points to the facility where the system resides by verifying individual access authorizations before granting access; and controlling ingress and egress using organization-defined controls.” (NIST Special Publication 800-53 Revision 5)

Operator interpretation (plain English)

You must:

1. Define the physical boundaries that protect the system (the facility and the specific entry/exit points that lead to it). (NIST Special Publication 800-53 Revision 5)
2. Decide who is authorized to enter those areas, and under what conditions (employee, contractor, third party technician, escorted visitor). (NIST Special Publication 800-53 Revision 5)
3. Verify authorization before access is granted (badge checks, guards verifying an access list, electronic access system checks, or equivalent). (NIST Special Publication 800-53 Revision 5)
4. Control ingress and egress using your defined set of controls (locks, badge readers, mantraps, security staff, visitor management, key control, or combinations). (NIST Special Publication 800-53 Revision 5)

If an entry point exists and can be used to reach the system, it must be in scope. A “side door everyone forgets” is how PE-3 breaks in practice.

Who it applies to

In-scope entities

• Cloud Service Providers supporting FedRAMP Moderate authorizations. (NIST Special Publication 800-53 Revision 5)
• Federal agencies operating systems in facilities they control or contract for. (NIST Special Publication 800-53 Revision 5)

In-scope operational contexts

• Provider-controlled facilities (owned/leased offices, data centers, staging warehouses).
• Co-location spaces (cages, cabinets, shared data halls) where you must coordinate controls with the facility operator.
• Third-party managed data centers where your staff or your third party technicians may request access to the system environment.

If your system is fully hosted by another organization, PE-3 still matters: you must define responsibilities and collect evidence that the facility operator enforces access authorizations for spaces where your system resides. (NIST Special Publication 800-53 Revision 5)

What you actually need to do (step-by-step)

Step 1: Define the protected area and entry/exit points

• Identify the facility(ies) where the system resides and map pathways to system components (server rooms, network closets, cages).
• List every entry and exit point that could provide access, including loading docks, shared building entrances, stairwells, and internal doors between “office” and “restricted” zones.
• Assign each entry point an owner (Facilities, Data Center Ops, Security) and a control method (badge reader, keyed lock, guard desk, etc.). (NIST Special Publication 800-53 Revision 5)

Deliverable: Physical security boundary diagram + entry/exit point register.

Step 2: Establish authorization rules (who can enter, when, and why)

Define categories and authorization criteria:

• Privileged physical access (data center technicians, infrastructure engineers).
• Standard access (authorized employees for office areas, if office leads to restricted zones).
• Third party access (maintenance, ISP, HVAC, cleaners, co-lo staff).
• Visitors (always escorted, unless you explicitly authorize otherwise). (NIST Special Publication 800-53 Revision 5)

Decide what “authorization” means in your environment:

• Approved in an access request system by a manager and security.
• Included on an electronic access control list tied to a role.
• Time-bounded access for third parties with explicit sponsor and purpose. (NIST Special Publication 800-53 Revision 5)

Deliverable: Physical Access Authorization Standard (roles, approvals, constraints).

Step 3: Implement verification before granting access

Verification is the control examiners test. You need a consistent method at each entry/exit point, such as:

• Electronic access control system that checks badge status and permissions.
• Guard verification against an approved list for restricted zones.
• Two-factor physical access for sensitive spaces (e.g., badge + PIN) if your risk posture requires it, documented as your “organization-defined controls.” (NIST Special Publication 800-53 Revision 5)

Also define failure handling:

• What happens when someone’s badge fails?
• Who can override, and what record is created?
• How after-hours access is verified and logged? (NIST Special Publication 800-53 Revision 5)

Deliverable: Entry/exit procedures by location (normal, after-hours, exceptions).

Step 4: Control ingress and egress (operational controls)

Pick controls that match the facility and risk. Common control families you can define and document:

• Credential controls: badge issuance, badge return on termination, periodic inventory, key control if keys exist.
• Visitor management: sign-in/out, identity check, escort rules, visitor badges, purpose and sponsor recorded.
• Physical barriers: locked doors, cages, secured racks, mantraps where appropriate.
• Monitoring: door alarms, forced-door alerts, security cameras if part of your control set, and incident handling. (NIST Special Publication 800-53 Revision 5)

Deliverable: Physical Security Control Set (the “organization-defined controls” list) + SOPs.

Step 5: Tie physical access to HR and third-party risk workflows

PE-3 fails when terminations or contract ends don’t revoke physical access promptly.

• Integrate with onboarding/offboarding so Facilities/Security receives immediate notice.
• For third parties, require a sponsor and limit access scope/time; validate their need before renewing access. (NIST Special Publication 800-53 Revision 5)

Deliverable: Joiner/Mover/Leaver workflow with physical access checkpoints.

Step 6: Log, review, and correct

To operationalize, treat physical access as a reviewable control:

• Keep access event logs (badge reads, door events, guard logs) and visitor logs.
• Periodically review lists of who has access to restricted spaces and reconcile against current roles and contracts. (NIST Special Publication 800-53 Revision 5)

Deliverable: Access review records + remediation tickets for removals/fixes.

Required evidence and artifacts to retain

Keep evidence that maps directly to the verbs in PE-3: define, verify, control. (NIST Special Publication 800-53 Revision 5)

Core artifacts (audit-ready):

• Physical security policy/standard referencing PE-3 expectations. (NIST Special Publication 800-53 Revision 5)
• Facility boundary diagram(s) and entry/exit point register.
• Access request/approval records for personnel with restricted access.
• Badge/credential issuance and revocation records (including terminations).
• Visitor management logs (sign-in/out, sponsor, escort).
• Physical access event logs (badge reader logs, guard logs) and retention notes.
• Exception/override records (who approved, why, what compensating controls).
• Third party access agreements/clauses or shared responsibility documentation for co-lo/managed facilities. (NIST Special Publication 800-53 Revision 5)

Common exam/audit questions and hangups

Expect questions that test completeness and operational reality:

• “Show me all entry/exit points in scope and how authorization is verified at each.” (NIST Special Publication 800-53 Revision 5)
• “Who can access the server room/cage today? Provide the list and approvals.” (NIST Special Publication 800-53 Revision 5)
• “How do you handle third party technicians or building maintenance?” (NIST Special Publication 800-53 Revision 5)
• “Demonstrate offboarding: pick a terminated user and show badge deactivation evidence.” (NIST Special Publication 800-53 Revision 5)
• “What happens when systems are down (badge reader offline, guard absent)?” (NIST Special Publication 800-53 Revision 5)

Hangups that slow assessments:

• Access lists exist but are not reconciled to HR/contract status.
• Visitor logs are inconsistent across sites.
• Controls differ by door, and undocumented “local practice” substitutes for policy.

Frequent implementation mistakes and how to avoid them

1. Undefined scope (“the building is secure”). Fix: document the facility boundary and every in-scope door, then assign an enforcement method per door. (NIST Special Publication 800-53 Revision 5)
2. Authorization without verification. Fix: require a verification step at the point of entry, not just an approval in a system. (NIST Special Publication 800-53 Revision 5)
3. Overbroad third-party access. Fix: time-bound access, require sponsorship, and keep logs tied to purpose. (NIST Special Publication 800-53 Revision 5)
4. Badges/keys not revoked cleanly. Fix: make physical access removal a mandatory offboarding task with evidence capture. (NIST Special Publication 800-53 Revision 5)
5. Evidence scattered across Facilities, Security, and IT. Fix: centralize control narratives and evidence indexing. Daydream can help by structuring PE-3 evidence requests and maintaining an audit-ready artifact map without chasing owners across email threads. (NIST Special Publication 800-53 Revision 5)

Enforcement context and risk implications

No public enforcement cases were provided for this requirement in the source catalog, so don’t anchor your program to a specific case narrative.

Operationally, the risk is straightforward: weak physical access control allows unauthorized physical proximity to systems, which can enable theft, tampering, downtime, or bypass of logical controls. Assessors treat physical access gaps as high-signal because they often indicate broader control weaknesses (role discipline, logging maturity, and deprovisioning rigor). (NIST Special Publication 800-53 Revision 5)

Practical 30/60/90-day execution plan

Use phased work that produces evidence early and hardens operations over time.

First 30 days (establish scope + enforceability)

• Build the facility boundary diagram and entry/exit point register.
• Write the physical access authorization standard (roles, approvals, visitor rules, third party rules). (NIST Special Publication 800-53 Revision 5)
• Confirm how verification occurs at each door; document gaps and temporary procedures.
• Start collecting existing logs (badge events, visitor sign-in) into a known repository.

Next 60 days (make it repeatable + auditable)

• Implement or formalize access request and approval workflows for restricted areas.
• Standardize visitor management across locations (template log fields, escort requirements).
• Align onboarding/offboarding with physical access provisioning and removal; test with real examples. (NIST Special Publication 800-53 Revision 5)
• Establish periodic access reviews for restricted zones and track remediation.

By 90 days (close gaps + operational monitoring)

• Resolve high-risk entry point gaps (uncontrolled doors, shared entrances without verification).
• Document exception handling and ensure overrides produce records.
• Run an internal “PE-3 walkthrough” with Facilities/Security: simulate a new hire, a third party visit, and a termination to validate end-to-end evidence. (NIST Special Publication 800-53 Revision 5)

Frequently Asked Questions

Does PE-3 apply if our system is hosted in a third-party data center?

Yes, if the system resides in that facility, physical access authorizations still must be enforced at defined entry/exit points. Your job is to define shared responsibilities and retain evidence that the facility operator verifies authorization and controls ingress/egress for your space. (NIST Special Publication 800-53 Revision 5)

What counts as “verification” of authorization?

Verification means checking the individual’s authorization before entry, such as an access control system validating badge permissions or a guard confirming identity and approval against an access list. The method can vary, but it must be defined and consistently followed. (NIST Special Publication 800-53 Revision 5)

Are visitor logs required?

PE-3 requires you to control ingress and egress and verify authorization before granting access; visitor logging is a common artifact that demonstrates controlled entry for non-badged individuals. If visitors can reach in-scope areas, keep records that show who entered, why, and under whose sponsorship. (NIST Special Publication 800-53 Revision 5)

How do we handle emergency access or door overrides?

Define an exception process: who can authorize the override, what compensating controls apply (escort, guard presence), and what record is produced. Auditors will ask for proof that exceptions are controlled rather than informal. (NIST Special Publication 800-53 Revision 5)

What’s the minimum evidence an assessor will expect to see?

Expect to show the defined entry/exit points, the list of authorized individuals for restricted areas, and logs or records demonstrating that access decisions are enforced at the door. If evidence is fragmented, maintain an indexed evidence map tied to PE-3. (NIST Special Publication 800-53 Revision 5)

How should we manage physical access for third party technicians?

Require a documented sponsor, define scope and time bounds, verify identity at entry, and record ingress/egress. If the third party is granted badge access, treat it like employee access with approvals, periodic review, and deprovisioning when the engagement ends. (NIST Special Publication 800-53 Revision 5)