PE-3(3): Continuous Guards

PE-3(3) requires you to staff continuous physical guards to control access to the facility where your system resides, 24/7. To operationalize it, define which facility(ies) are in scope, implement a guard post and procedures that actually control entry, and retain shift logs, post orders, and oversight records that prove uninterrupted coverage. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Key takeaways:

• PE-3(3) is a facility access control requirement: guards must control access continuously, not “on-call.” (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Scope is the facility where the system resides, which includes data centers, comms rooms, and hosting locations you rely on. (NIST SP 800-53 Rev. 5)
• Audit success depends on operational evidence: guard rosters, post orders, incident/escalation records, and periodic management review. (NIST SP 800-53 Rev. 5 OSCAL JSON)

PE-3(3): Continuous Guards is one of the more “binary” physical security controls in NIST SP 800-53: either access is actively controlled by guards around the clock, or it is not. The requirement exists to reduce the chance that an attacker (or unauthorized insider) can reach the systems’ physical environment during off-hours, holidays, or other low-visibility periods.

For a Compliance Officer, CCO, or GRC lead, the fastest path to implementation is to treat PE-3(3) as an operational service with measurable coverage, defined posts, and documented procedures. Your first decisions are scope (which facilities are “where the system resides”), delivery model (internal security staff vs. contracted guard force), and the specific access control actions guards must perform (ID checks, visitor validation, escort enforcement, monitoring alarms, and denying entry when authorization is unclear).

Teams often “pass” on paper with a security contract but fail in assessment because they cannot show uninterrupted coverage, or because guards are present but not actually controlling access (for example, doors unlocked after hours, poor badge/visitor validation, or missing logs). This page is written to help you implement the pe-3(3): continuous guards requirement quickly, with assessor-ready artifacts. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Regulatory text

Requirement (verbatim): “Employ guards to control {{ insert: param, pe-03.03_odp }} to the facility where the system resides a defined hours per day, a defined days per week.” (NIST SP a range Rev. 5 OSCAL JSON)

What the operator must do

• Employ guards: You must have human guard coverage (not just cameras, badge readers, or remote monitoring) as part of the access control design. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Control access to the facility: Guards must perform an access control function, such as validating authorization and preventing unauthorized entry. Presence alone is not the same as control. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Facility where the system resides: Scope is tied to the physical location(s) that house the system components, not just corporate HQ. This can include colocation space, on-prem data centers, controlled server rooms, network closets, or other supporting infrastructure areas. (NIST SP 800-53 Rev. 5)
• 24/7: Coverage must be continuous across all days and hours. Any gap becomes a compliance issue unless you have an approved, documented alternative that still meets the control as written (most assessments will treat “alternative” as noncompliant for this enhancement if guards are not present). (NIST SP 800-53 Rev. 5 OSCAL JSON)

Plain-English interpretation (what PE-3(3) is really asking)

You need a guard force that can reliably stop unauthorized people from entering the facility environment where the system is hosted, at any time. The control is aimed at the “night/weekend problem,” where technical controls can be bypassed if an attacker can physically reach devices, cabling, consoles, or removable media.

If your system is hosted by a third party (cloud, colocation, managed hosting), you still own the requirement from a governance perspective. Operationally, you may inherit the control from the hosting provider, but you must confirm it and retain evidence. (NIST SP 800-53 Rev. 5)

Who it applies to (entity and operational context)

Entities

• Federal information systems implementing NIST SP 800-53 controls. (NIST SP 800-53 Rev. 5)
• Contractor systems handling federal data where NIST SP 800-53 is flowed down contractually or via an ATO/FedRAMP-like requirement set. (NIST SP 800-53 Rev. 5)

Operational contexts where PE-3(3) commonly becomes “in scope”

• Owned facilities with a dedicated data center or controlled server room that hosts production systems.
• Colocation facilities where you rent cabinets/cages (guards may be building-level; confirm how they control access to your specific area).
• Mixed-use corporate buildings where IT rooms exist but physical security is run by facilities or a landlord (watch for gaps after hours).
• Any location where critical system components reside, including supporting network infrastructure that could enable compromise if accessed. (NIST SP 800-53 Rev. 5)

What you actually need to do (step-by-step)

Step 1: Define “facility where the system resides” for the system boundary

• List all physical locations that house system components (including comms rooms and supporting infrastructure tied to the system boundary).
• For each location, record the address, owner (you vs. third party), and access paths (main entrance, loading dock, side doors, mantraps, etc.).
• Decide which locations require continuous guards versus which are out of scope because the system does not reside there. Keep this tied to your authorization boundary documentation. (NIST SP 800-53 Rev. 5)

Step 2: Choose an operating model and assign control ownership

• Internal guard force: Define staffing, training, supervision, and scheduling.
• Contracted guards (third party): Define contract requirements, KPIs, post orders, and your right to audit.
• Assign an accountable control owner (often Physical Security, Facilities Security, or Corporate Security) and a GRC point person responsible for evidence collection and assessor support. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Step 3: Write “post orders” that translate policy into guard actions

Your post orders should be explicit and testable. Include:

• Access authorization checks (badge validation, government ID verification, approved access list).
• Visitor handling (sign-in, badge issuance, verification of sponsor, escort requirements).
• Handling of deliveries and contractors (loading dock procedures, tool/material checks if required by your risk profile).
• Alarm response and escalation (who to call, when to deny access, incident reporting steps).
• Prohibited actions (no propping doors, no “tailgating allowed,” no bypassing checks for convenience). (NIST SP 800-53 Rev. 5)

Step 4: Ensure guards can actually “control access”

You need physical and procedural ability to deny entry:

• Guards must be positioned at access points that matter (or have monitoring and response authority that prevents entry).
• Doors, turnstiles, gates, and mantraps must support guard enforcement (for example, guards can keep doors locked, intervene on tailgating, or require re-authentication).
• Align guard procedures with electronic access control so guard checks match badge permissions, after-hours rules, and visitor systems. (NIST SP 800-53 Rev. 5)

Step 5: Implement coverage management (the part auditors probe)

• Build a scheduling process that prevents uncovered posts (backfill for breaks, sick leave, holidays).
• Define what constitutes an unacceptable gap and how it is reported, triaged, and corrected.
• Set up supervisory checks (post inspections, sign-offs, or periodic reviews of logs) that prove the program is managed, not assumed. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Step 6: For third-party facilities, convert “trust me” into inheritable evidence

If a third party provides the facility:

• Identify which controls you inherit and from whom.
• Request evidence that guards control facility access continuously (examples below).
• Document how you reviewed it and how often you refresh it based on your risk and contract obligations. (NIST SP 800-53 Rev. 5)

Practical tool: Many teams track inherited controls and evidence requests in Daydream so the “ask, receive, review, and renew” loop is consistent across hosting providers and facilities vendors, and so PE-3(3) evidence is available at assessment time without a scramble. (NIST SP 800-53 Rev. 5)

Required evidence and artifacts to retain (assessment-ready)

Maintain artifacts that show design, operation, and oversight:

Design evidence

• Physical security policy section referencing continuous guard coverage for in-scope facilities.
• Guard post orders / standard operating procedures (SOPs) tied to access control.
• Facility scope statement: which facility(ies) house the system and are covered by guards. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Operational evidence

• Guard schedules/rosters (showing continuous coverage).
• Shift change logs / post logs (daily activity record).
• Visitor logs and escort logs (as applicable), with retention aligned to your program.
• Incident and escalation reports (denied entries, alarms, suspicious activity).
• Evidence of access challenges: examples where guards stopped/redirected unauthorized access attempts (redact as needed). (NIST SP 800-53 Rev. 5)

Oversight evidence

• Supervisory patrol/inspection records.
• Training completion records (site-specific access control training).
• Contract/SLA and performance reviews for contracted guard providers.
• Periodic management review notes and corrective actions for any coverage gaps. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Common exam/audit questions and hangups

What assessors ask	What they are testing	What to show
“Which facility is in scope for this system?”	Boundary clarity	Facility list tied to the system boundary, diagrams if available (NIST SP 800-53 Rev. 5)
“Is there truly 24/7 guard coverage?”	No gaps	Rosters + shift logs, evidence of backfill process (NIST SP 800-53 Rev. 5 OSCAL JSON)
“Do guards actually control access?”	Effectiveness	Post orders, observed procedures, examples of denied entry or visitor enforcement (NIST SP 800-53 Rev. 5 OSCAL JSON)
“What happens during emergencies?”	Continuity of control	Escalation procedures, incident reports, coordination with facilities/LE (NIST SP 800-53 Rev. 5)
“If a third party hosts this, where’s the evidence?”	Inherited control verification	Attestations, audit reports, contract language, and your review record (NIST SP 800-53 Rev. 5)

Frequent implementation mistakes (and how to avoid them)

1. Relying on cameras/badges alone. PE-3(3) explicitly calls for guards; treat cameras as supporting controls, not substitutes. (NIST SP 800-53 Rev. 5 OSCAL JSON)
2. Guards present, but entrances uncontrolled. If employees can tailgate or doors are propped, “control access” fails in practice. Fix door hardware, add procedures, and train guards to challenge. (NIST SP 800-53 Rev. 5)
3. Coverage gaps hidden in scheduling. Breaks, lunch, and call-outs create unstaffed posts unless you designed coverage for them. Require documented backfill and supervisor sign-off. (NIST SP 800-53 Rev. 5 OSCAL JSON)
4. No facility-to-system mapping. Assessors will not accept “the building is secure” without showing that the facility hosts the system and is covered by guard control. Keep a simple, maintained scope record. (NIST SP 800-53 Rev. 5)
5. Inheriting controls without proof. For hosted systems, you need tangible evidence and a review trail, not verbal confirmation. Store it in your GRC repository with renewal dates. (NIST SP 800-53 Rev. 5)

Risk implications (why this control is tested hard)

Physical access can bypass many technical safeguards. If an attacker can access racks, consoles, cabling, or removable media, they may obtain credentials, implant hardware, disrupt availability, or exfiltrate data. Continuous guards reduce this risk by adding immediate human deterrence and response at the point of entry. (NIST SP 800-53 Rev. 5)

A practical 30/60/90-day execution plan

First a defined days (stabilize scope and accountability)

• Confirm in-scope facilities for each system boundary that claims PE-3(3). (NIST SP 800-53 Rev. 5)
• Assign a control owner and an evidence owner; define how evidence will be collected and stored.
• Collect current guard contracts, post orders, and any existing rosters/logs.
• Identify coverage gaps (after-hours, weekends, holidays) and decide remediation path.

Days 31–60 (make it operational and testable)

• Finalize post orders with explicit access control steps and escalation paths.
• Implement a coverage management process (backfill, supervisor checks, gap reporting).
• Start routine evidence capture (weekly or monthly pull of rosters/logs, depending on your oversight model).
• For third-party facilities, issue evidence requests and document review outcomes. (NIST SP 800-53 Rev. 5)

Days 61–90 (prove effectiveness and get assessment-ready)

• Run a tabletop or walkthrough of off-hours access scenarios (lost badge, unescorted visitor, emergency entry).
• Sample-check logs for completeness and review findings with the guard supervisor or provider.
• Document exceptions and corrective actions, then retest.
• Load final artifacts into your GRC system (Daydream or equivalent) with owners and refresh cadences so PE-3(3) stays evergreen. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Frequently Asked Questions

Does PE-3(3) allow remote monitoring instead of on-site guards?

PE-3(3) specifically requires you to “employ guards” to control access continuously, which is generally interpreted as human guard coverage rather than purely remote monitoring. Treat remote monitoring as supplemental unless your authorizing officials explicitly accept an alternative. (NIST SP 800-53 Rev. 5 OSCAL JSON)

What counts as “the facility where the system resides” if we use cloud services?

The physical facilities are operated by the cloud provider, but the requirement still applies to the hosting environment for your system boundary. You typically inherit the control and must retain provider evidence and your review record. (NIST SP 800-53 Rev. 5)

Do we need guards at every door, or is a single guarded entrance enough?

The control requires guards to control access to the facility; your design must ensure that unguarded access paths do not bypass the control. If multiple entrances exist, you need procedures and physical controls so guards still control entry. (NIST SP 800-53 Rev. 5)

What evidence is most persuasive to an assessor?

Show uninterrupted coverage (rosters + shift logs), plus post orders that describe how guards verify authorization and handle visitors. Add supervisory review records to demonstrate ongoing management. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Our guard service is a third party. How do we keep accountability?

Put continuous coverage, post orders, reporting, and audit rights into the contract and run periodic performance reviews. Keep artifacts and review notes in a central system so you can demonstrate oversight. (NIST SP 800-53 Rev. 5)

How should we track PE-3(3) across multiple facilities and providers?

Use a control record that maps each in-scope facility to its guard model (internal or third party), evidence sources, and refresh cadence. Many teams manage this in Daydream to standardize requests and keep recurring evidence current. (NIST SP 800-53 Rev. 5)