Skip to main content

PES-02: Physical Access Authorizations

PES 7 — High Protect

Physical access control mechanisms exist to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).

Control Question: Does the organization maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible)?

General (43)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.4 CC6.4-POF1 CC6.4-POF2
COBIT 2019 DSS05.05
CSA CCM 4 DCS-09
GovRAMP Low PE-02
GovRAMP Low+ PE-02
GovRAMP Moderate PE-02
GovRAMP High PE-02
ISO 27002 2022 5.15 5.18 7.1
ISO 27017 2015 11.1.1
MPA Content Security Program 5.1 OR-3.1 PS-1.0 PS-1.2
NAIC Insurance Data Security Model Law (MDL-668) 4.D(2)(c)
NIST 800-53 R4 PE-2
NIST 800-53 R4 (low) PE-2
NIST 800-53 R4 (moderate) PE-2
NIST 800-53 R4 (high) PE-2
NIST 800-53 R5 (source) PE-2
NIST 800-53B R5 (low) (source) PE-2
NIST 800-53B R5 (moderate) (source) PE-2
NIST 800-53B R5 (high) (source) PE-2
NIST 800-82 R3 LOW OT Overlay PE-2
NIST 800-82 R3 MODERATE OT Overlay PE-2
NIST 800-82 R3 HIGH OT Overlay PE-2
NIST 800-161 R1 PE-2
NIST 800-161 R1 C-SCRM Baseline PE-2
NIST 800-161 R1 Flow Down PE-2
NIST 800-161 R1 Level 2 PE-2
NIST 800-161 R1 Level 3 PE-2
NIST 800-171 R2 (source) 3.10.1
NIST 800-171A (source) 3.10.1[a] 3.10.1[b] 3.10.1[c] 3.10.1[d]
NIST 800-171 R3 (source) 03.08.01 03.08.02 03.10.01.a 03.10.01.b 03.10.01.c 03.10.01.d 03.10.07.a
NIST 800-171A R3 (source) A.03.04.05[02] A.03.10.01.ODP[01] A.03.10.01.a[01] A.03.10.01.a[02] A.03.10.01.a[03] A.03.10.01.c A.03.10.01.d A.03.10.07.a.01
NIST CSF 2.0 (source) PR.AA PR.AA-06
PCI DSS 4.0.1 (source) 8.3.11 9.1 9.2 9.2.1 9.3 9.3.1
PCI DSS 4.0.1 SAQ A-EP (source) 8.3.11 9.2.1
PCI DSS 4.0.1 SAQ C (source) 9.2.1
PCI DSS 4.0.1 SAQ C-VT (source) 9.2.1
PCI DSS 4.0.1 SAQ D Merchant (source) 8.3.11 9.2.1 9.3.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 8.3.11 9.2.1 9.3.1
SCF CORE Fundamentals PES-02
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) PES-02
SCF CORE ESP Level 1 Foundational PES-02
SCF CORE ESP Level 2 Critical Infrastructure PES-02
SCF CORE ESP Level 3 Advanced Threats PES-02
US (29)
Framework Mapping Values
US C2M2 2.1 ACCESS-3.B.MIL1 ACCESS-3.I.MIL3
US CERT RMM 1.2 AM:SG1.SP1 EC:SG2.SP2 HRM:SG2.SP1 ID:SG1.SP1 ID:SG1.SP2 ID:SG1.SP3
US CJIS Security Policy 5.9.3 (source) 5.9.1.2
US CMMC 2.0 Level 1 (source) PE.L1-B.1.VIII
US CMMC 2.0 Level 1 AOs (source) PE.L1-B.1.VIII[a] PE.L1-B.1.VIII[b] PE.L1-B.1.VIII[c] PE.L1-B.1.VIII[d]
US CMMC 2.0 Level 2 (source) PE.L2-3.10.1
US CMMC 2.0 Level 3 (source) PE.L2-3.10.1
US CMS MARS-E 2.0 PE-2
US FAR 52.204-21 52.204-21(b)(1)(viii)
US FedRAMP R4 PE-2
US FedRAMP R4 (low) PE-2
US FedRAMP R4 (moderate) PE-2
US FedRAMP R4 (high) PE-2
US FedRAMP R4 (LI-SaaS) PE-2
US FedRAMP R5 (source) PE-2
US FedRAMP R5 (low) (source) PE-2
US FedRAMP R5 (moderate) (source) PE-2
US FedRAMP R5 (high) (source) PE-2
US FedRAMP R5 (LI-SaaS) (source) PE-2
US HIPAA Administrative Simplification 2013 (source) 164.310(a)(2)(i) 164.310(a)(2)(iii)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.310(a)(2)(i) 164.310(a)(2)(iii)
US IRS 1075 2.B.3 PE-2
US NERC CIP 2024 (source) CIP-004-7 4.1.2 CIP-004-7 4.2 CIP-004-7 6.1.2
US NISPOM 2020 8-308 5-306 5-308 6-104
US NNPI (unclass) 10.6 11.1 11.2 11.3
US - CA CCPA 2025 7123(c)(3)(D)
US - TX DIR Control Standards 2.0 PE-2
US - TX TX-RAMP Level 1 PE-2
US - TX TX-RAMP Level 2 PE-2
EMEA (7)
Framework Mapping Values
EMEA EU NIS2 Annex 13.3.1
EMEA Israel CDMO 1.0 12.27 18.3
EMEA Saudi Arabia ECC-1 2018 2-14-3-1
EMEA Saudi Arabia OTCC-1 2022 2-13-1-1
EMEA Saudi Arabia SACS-002 TPC-86
EMEA Spain CCN-STIC 825 8.1.1 [MP.IF.1]
EMEA UK DEFSTAN 05-138 1500
APAC (5)
Framework Mapping Values
APAC Japan ISMAP 11.1.1
APAC New Zealand HISF 2022 HHSP04 HML04 HSUP04
APAC New Zealand HISF Suppliers 2023 HSUP04
APAC New Zealand NZISM 3.6 8.1.11.C.01 8.1.11.C.02
APAC Singapore MAS TRM 2021 8.5.6(a)
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.08.01 03.08.02 03.10.01.A 03.10.01.B 03.10.01.C 03.10.01.D 03.10.07.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).

Level 1 — Performed Informally

Physical & Environmental Security (PES) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Physical access control is decentralized.
  • Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).
  • Human Resources, or a similar function, maintains a current list of personnel and facilitates the implementation of physical access management controls.
Level 2 — Planned & Tracked

Physical & Environmental Security (PES) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Physical access control is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for physical access control.
  • Human Resources, or a similar function, maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.
  • Physical security controls are primarily administrative in nature (e.g., policies & standards).
  • Physical controls, administrative processes and technologies are primarily designed and implemented for offices, rooms and facilities that focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
  • A facilities maintenance team, or similar function, manages the operation of automated physical and environmental protection controls.
Level 3 — Well Defined

Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.

  • A physical security team, or similar function:
  • A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
  • Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
  • Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
  • An Identity and Access Management (IAM), or similar function, centrally manages permissions and implements “least privileges” practices for the management of user, group and system accounts. IAM integrates into physical access using a holistic approach to physical and logical access.
Level 4 — Quantitatively Controlled

Physical & Environmental Security (PES) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).

Assessment Objectives

  1. PES-02_A01 authorized individuals allowed physical access are identified.
  2. PES-02_A02 physical access to operating environments is limited to authorized individuals.
  3. PES-02_A03 physical access to organizational systems is limited to authorized individuals.
  4. PES-02_A04 physical access to equipment is limited to authorized individuals.
  5. PES-02_A05 the frequency at which to review the access list detailing authorized facility access by individuals is defined.
  6. PES-02_A06 a list of individuals with authorized access to the facility where the system resides is approved.
  7. PES-02_A07 a list of individuals with authorized access to the facility where the system resides is maintained.
  8. PES-02_A08 authorization credentials are issued for facility access.
  9. PES-02_A09 the facility access list is reviewed per an organization-defined frequency.
  10. PES-02_A10 individuals from the facility access list are removed when access is no longer required.
  11. PES-02_A11 physical access restrictions associated with changes to the system are approved.
  12. PES-02_A12 a list of individuals with authorized access to the facility where the system resides is developed.
  13. PES-02_A13 physical access authorizations are enforced at entry and exit points to the facility where the system resides by verifying individual physical access authorizations before granting access.
  14. PES-02_A14 the facility access list is reviewed <A.03.10.01.ODP[01]: frequency>.

Evidence Requirements

E-HRS-28 Authorized Personnel Access List

Documented evidence of an authorized personnel access list.

Human Resources
E-PES-03 Defined Physical Security Roles

Documented evidence of defined physical access control-specific roles that limit physical access to rooms and/or facilities.

Physical Security
E-PES-05 Physical Security Operations

Documented evidence of the organization's physical security capabilities as it pertains to operating and monitoring Physical Access Control (PAC)mechanisms.

Physical Security
E-PES-10 Physical Access Authorizations

Documented evidence of physical access authorization activities (e.g., list reviews, termination changes, etc.).

Physical Security

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free