PE-2(2): Two Forms of Identification

PE-2(2) requires you to verify a visitor’s identity using two acceptable forms of identification before granting unescorted access to the facility where your system resides. To operationalize it fast, define which IDs you accept, train reception/security to check and record both IDs, and retain visitor logs and exception approvals as audit evidence. ¹

Key takeaways:

• Define an “acceptable ID list” and make it usable at the front desk, not just in policy. ¹
• Build a repeatable workflow: present two IDs, validate, log, badge, escort decision, and retain records. ¹
• The most common gap is evidence: auditors want logs and procedures that prove the control runs consistently. ¹

The pe-2(2): two forms of identification requirement sits inside the NIST SP 800-53 physical and environmental protection family and targets a simple failure mode: unknown people walking into controlled space on the strength of a single weak identity check. You can meet the requirement with basic operational discipline, but you must make it consistent across all entry points, shifts, and visitor types.

For a CCO or GRC lead, the fastest path is to translate “two forms of identification” into a facility-ready standard: what IDs count, who verifies them, how you document the check, and what you do when someone cannot produce two acceptable IDs. Most organizations stumble on edge cases (VIPs, job candidates, couriers, after-hours maintenance, and third-party technicians) and on inconsistent recordkeeping (paper sign-in sheets that go missing, incomplete entries, or no documented exceptions).

This page gives requirement-level implementation guidance you can assign to facilities/security, HR, IT, and system owners. It is written to help you pass an assessment by demonstrating both design and operating effectiveness through clear procedures and repeatable evidence. ²

Regulatory text

NIST SP 800-53 PE-2(2) states: “Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: {{ insert: param, pe-02.02_odp }}.” ¹

What the operator must do

1. Specify the acceptable forms of identification (the “ODP” list referenced in the control) and make that list available to staff who grant access. ¹
2. Require two forms from that acceptable list before granting visitor access to the facility housing the system. ¹
3. Operationalize verification and documentation so you can show the control is performed consistently (not just written). ¹

Plain-English interpretation (what PE-2(2) really means)

You must positively identify visitors using two separate ID artifacts from your approved list before they enter areas that could give access to the system (or system components). One ID check is considered too easy to bypass or too easy to accept casually. Two forms forces a second verification step and reduces social engineering and tailgating risk at the front door.

This is a visitor access control. It is not primarily about employee badge issuance (though your badge program often intersects). It is about anyone who is not already authorized for normal facility access, including third parties, guests, and short-term workers.

Who it applies to (entity and operational context)

Applies to:

• Federal information systems and the facilities where those systems reside. ³
• Contractor systems handling federal data when NIST SP 800-53 is flowed down contractually or via an authorization boundary. ³

Operational contexts where assessors focus:

• Primary office entrances, secondary entrances, loading docks, after-hours access points
• Data centers, MDF/IDF rooms, lab spaces, secure cages, records rooms
• Shared buildings where lobby security is run by a landlord or third party (you still need your process to meet the requirement in your boundary)

What you actually need to do (step-by-step)

1) Define the acceptable ID list (and document it)

Create an “Acceptable Visitor Identification Standard” that names which IDs your staff may accept as the two forms of identification. The control text expects you to choose the forms via the parameter list. ¹

Practical decision points to settle:

• Whether at least one ID must be government-issued with photo
• Whether the second ID can be non-photo (for example, a badge from another employer, a credit card, or other credential) if your risk posture allows it
• Whether digital IDs are accepted (and how staff validate authenticity)
• Whether IDs must be unexpired

Keep the list short enough that reception can follow it without guesswork.

2) Build a visitor intake workflow that front-line staff can run

Document a simple procedure (one page is fine) that covers:

1. Greet visitor and determine purpose (who they are visiting; work order or meeting invite).
2. Collect two forms of ID from the approved list. ¹
3. Verify authenticity at a reasonable level (visual inspection, photo match, expiration date, tamper signs).
4. Record required visitor log fields (see “Evidence” section).
5. Issue a time-bound visitor badge and require it be worn visibly.
6. Determine escort requirement based on area sensitivity and your physical access rules (PE-2(2) is identity; escorting is often handled elsewhere, but your workflow should connect the dots).
7. Check-out process: badge return, exit time logged, access disabled if any temporary credential was issued.

3) Handle exceptions without breaking the control

You will face visitors who cannot or will not provide two acceptable IDs. Decide in advance what “no” looks like.

Recommended exception pattern:

• No two IDs → no unescorted access.
• Allow access only under documented exception approval (named approver, reason, compensating controls like escorting, restricted areas).
• If you do allow an exception, log it and retain the approval artifact with the visitor record.

This keeps operations moving while preserving auditability and reducing ad hoc decision-making.

4) Align roles and ownership

Assign an operational owner (often Facilities or Corporate Security) and a compliance owner (GRC). Then define RACI for:

• Reception/security screening
• Visitor log administration and retention
• Periodic review of visitor logs for completeness and anomalies
• Training and refresher training for staff who check IDs

A common implementation gap is “policy exists, but building security contractor never received it.” Close that with contract language or post orders.

5) Prove it runs consistently (monitoring and QA)

Do light-touch QA:

• Spot-check visitor logs for missing second ID confirmation
• Validate that the acceptable ID list is posted at check-in desks or inside the visitor management system prompts
• Review exceptions and confirm compensating controls were applied

If you use an electronic visitor management system, configure required fields so a badge cannot be printed unless staff attest two IDs were checked.

Required evidence and artifacts to retain

Assessors usually want both design evidence and operational evidence.

Design artifacts

• Visitor Access Procedure with the two-ID requirement explicitly stated. ¹
• Acceptable Forms of Identification Standard (the parameter list you selected). ¹
• Roles/responsibilities document (RACI or control ownership mapping)

Operational artifacts

• Visitor logs (electronic export or scanned paper logs) showing:
  • Visitor name
  • Date/time in and out
  • Host name and/or organization visited
  • Purpose (meeting, maintenance, delivery)
  • Badge number (if applicable)
  • Confirmation that two forms of ID were verified (checkbox/field)
  • Escort requirement/escort name when applicable
• Exception approvals and compensating control notes
• Training records for staff performing ID checks (rosters, acknowledgments)
• If third-party building security runs the desk: contract exhibit, post orders, or SOP acknowledgement showing they follow your two-ID procedure

Retention: Set a retention period consistent with your internal policies and any contract or authorization requirements. The requirement does not state a specific duration in the provided text, so avoid inventing one. ¹

Common exam/audit questions and hangups

Expect questions like:

• “Show me your acceptable ID list. Where is it documented?” ¹
• “Walk me through what happens when a visitor arrives after hours.”
• “How do you know security actually checked two IDs, versus just logging a name?”
• “Do you require two IDs for all visitors or only some categories?”
• “How do you handle recurring third-party technicians?”
• “Provide a sample of visitor records and any exceptions for the period under review.”

Hangup to anticipate: shared facilities. If a landlord controls lobby access, you still need evidence that the screening meets your requirement for entry into your controlled space or that you have compensating controls before a visitor reaches system areas.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: “Two IDs” exists only in policy.
   Fix: Put the requirement into the visitor management system workflow or the guard desk checklist, and train to it. ¹

2. Mistake: Acceptable IDs are vague (“government ID required”) without a second-ID rule.
   Fix: Define the two-ID combinations your staff can accept and document them clearly. ¹

3. Mistake: Deliveries and couriers bypass the desk.
   Fix: Route deliveries to a controlled handoff point, or require the delivery person to be treated as a visitor if they must enter beyond the lobby.

4. Mistake: Exceptions are informal (VIP override, “known contractor”).
   Fix: Create a short exception form or ticket workflow with required approver and compensating controls.

5. Mistake: Logs are incomplete or not retained.
   Fix: Make key fields mandatory, audit log completeness, and store records in a controlled repository.

Risk implications and why assessors care

PE-2(2) is a low-complexity control with high signaling value: if you cannot consistently validate visitor identity at the boundary, assessors will question your ability to execute other physical access controls. The immediate risk is unauthorized physical proximity to systems, which can enable theft, tampering, or opportunistic access to network ports and consoles. ³

A practical 30/60/90-day execution plan

First 30 days (Immediate stabilization)

• Name a control owner and back-up owner for visitor ID verification. ¹
• Draft/approve the acceptable ID list and a one-page guard desk procedure. ¹
• Update visitor log template or system fields to capture “two IDs checked” and host information.
• Train reception/security and confirm the procedure is accessible at every entry point.

Day 31–60 (Operational hardening)

• Run spot-check QA on visitor records; fix missing fields and unclear exception handling.
• Implement an exception approval path (email template, ticket type, or form) and teach staff to use it.
• If you outsource security, align contract language or post orders to your procedure and collect written acknowledgement.

Day 61–90 (Assessment readiness)

• Compile an evidence packet: procedures, acceptable ID list, sample logs, exception samples, training records.
• Perform a tabletop walkthrough with Facilities/Security and GRC: “Visitor arrives, can’t produce second ID, what happens?”
• If you use Daydream for control operations, map PE-2(2) to a control owner, a standard procedure, and recurring evidence artifacts so evidence collection becomes routine rather than an audit scramble. ¹

Frequently Asked Questions

Does PE-2(2) apply to employees or only visitors?

The control enhancement is written for “visitor access to the facility where the system resides.” Employees are typically handled under badge issuance and physical access authorization controls, but you should treat non-badged personnel as visitors. ¹

What counts as “two forms of identification”?

The requirement expects you to choose acceptable forms via the parameter list referenced in the control text. Define the exact acceptable IDs in your standard so reception and security can apply it consistently. ¹

Can the second ID be non-photo?

The control text does not prescribe photo versus non-photo in the provided excerpt. Decide based on facility risk, document the rule, and train staff so the decision is consistent. ¹

What if a visitor refuses to provide two IDs?

Deny unescorted access and route the situation through a documented exception process with compensating controls (escort, restricted access areas) if you allow entry at all. Record the decision and keep the approval with the visitor log.

We are in a shared building with lobby security we don’t control. How do we comply?

You need evidence that visitor identity is verified with two acceptable IDs before the visitor reaches your controlled space, or you need a compensating process at your suite entrance. Document responsibilities and keep artifacts (post orders, SOP acknowledgments, or your own logs). ¹

Are electronic visitor management systems required?

No specific tooling is required by the control text. Use a paper or electronic process, but make it auditable, consistent, and able to prove two IDs were checked. ¹

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5; Source: NIST SP 800-53 Rev. 5 OSCAL JSON

3. NIST SP 800-53 Rev. 5