PES-03.4: Access To Critical Systems
Physical access control mechanisms exist to enforce physical access to critical systems or sensitive/regulated data, in addition to the physical access controls for the facility.
Control Question: Does the organization enforce physical access to critical systems or sensitive/regulated data, in addition to the physical access controls for the facility?
General (18)
| Framework | Mapping Values |
|---|---|
| COBIT 2019 | DSS05.05 |
| GovRAMP High | PE-03(01) |
| MPA Content Security Program 5.1 | PS-1.0 |
| NIST Privacy Framework 1.0 | PR.AC-P2 |
| NIST 800-53 R4 | PE-3(1) |
| NIST 800-53 R4 (high) | PE-3(1) |
| NIST 800-53 R5 (source) | PE-3(1) |
| NIST 800-53B R5 (high) (source) | PE-3(1) |
| NIST 800-82 R3 HIGH OT Overlay | PE-3(1) |
| NIST 800-161 R1 | PE-3(1) |
| NIST 800-161 R1 Level 2 | PE-3(1) |
| NIST 800-161 R1 Level 3 | PE-3(1) |
| NIST 800-171 R2 (source) | 3.10.1 |
| NIST 800-171 R3 (source) | 03.10.07.a.01 03.10.07.a.02 |
| SWIFT CSF 2023 | 3.1 |
| TISAX ISA 6 | 5.3.4 |
| SCF CORE ESP Level 2 Critical Infrastructure | PES-03.4 |
| SCF CORE ESP Level 3 Advanced Threats | PES-03.4 |
US (11)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ARCHITECTURE-3.J.MIL2 |
| US CMMC 2.0 Level 1 (source) | PE.L1-B.1.VIII |
| US CMMC 2.0 Level 2 (source) | PE.L2-3.10.1 |
| US FAR 52.204-21 | 52.204-21(b)(1)(viii) |
| US FedRAMP R4 | PE-3(1) |
| US FedRAMP R4 (high) | PE-3(1) |
| US FedRAMP R5 (source) | PE-3(1) |
| US FedRAMP R5 (high) (source) | PE-3(1) |
| US HIPAA Administrative Simplification 2013 (source) | 164.310(b) 164.310(c) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.310(b) 164.310(c) |
| US NNPI (unclass) | 11.1 11.2 11.3 |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA Germany C5 2020 | PS-04 |
| EMEA Saudi Arabia ECC-1 2018 | 2-3-3-2 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-13-1-5 |
| EMEA Saudi Arabia SACS-002 | TPC-46 TPC-49 |
| EMEA UK DEFSTAN 05-138 | 1502 |
APAC (6)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0813 ISM-1053 ISM-1074 ISM-1530 |
| APAC India SEBI CSCRF | PR.AA.S10 |
| APAC New Zealand HISF 2022 | HHSP10 HML10 HSUP09 |
| APAC New Zealand HISF Suppliers 2023 | HSUP09 |
| APAC New Zealand NZISM 3.6 | 8.3.3.C.01 8.3.4.C.01 8.3.4.C.02 8.3.5.C.01 |
| APAC Singapore MAS TRM 2021 | 8.5.6(d) |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.10.07.A.01 03.10.07.A.02 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to enforce physical access to critical systems or sensitive/regulated data, in addition to the physical access controls for the facility.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to enforce physical access to critical systems or sensitive/regulated data, in addition to the physical access controls for the facility.
Level 2 — Planned & Tracked
Physical & Environmental Security (PES) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Physical access control is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for physical access control.
- Human Resources, or a similar function, maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.
- Physical security controls are primarily administrative in nature (e.g., policies & standards).
- Physical controls, administrative processes and technologies are primarily designed and implemented for offices, rooms and facilities that focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
- A facilities maintenance team, or similar function, manages the operation of automated physical and environmental protection controls.
Level 3 — Well Defined
Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.
- A physical security team, or similar function:
- A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
- Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
- Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to enforce physical access to critical systems or sensitive/regulated data, in addition to the physical access controls for the facility.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to enforce physical access to critical systems or sensitive/regulated data, in addition to the physical access controls for the facility.
Assessment Objectives
- PES-03.4_A01 physical spaces are defined.
- PES-03.4_A02 physical access controls are enforced for the facility at physical spaces.
- PES-03.4_A03 physical access authorizations are enforced.