Skip to main content

PES-12.1: Transmission Medium Security

PES 9 — Critical Protect

Physical security mechanisms exist to protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage.

Control Question: Does the organization protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage?

General (28)
Framework Mapping Values
GovRAMP Low+ PE-04
GovRAMP Moderate PE-04
GovRAMP High PE-04
ISO 27002 2022 7.12
ISO 27017 2015 11.2.3
NIST 800-53 R4 PE-4 SC-7(14)
NIST 800-53 R4 (moderate) PE-4
NIST 800-53 R4 (high) PE-4
NIST 800-53 R5 (source) PE-4 SC-7(14)
NIST 800-53B R5 (moderate) (source) PE-4
NIST 800-53B R5 (high) (source) PE-4
NIST 800-53 R5 (NOC) (source) SC-7(14)
NIST 800-82 R3 MODERATE OT Overlay PE-4
NIST 800-82 R3 HIGH OT Overlay PE-4
NIST 800-161 R1 SC-7(14)
NIST 800-161 R1 Level 2 SC-7(14)
NIST 800-161 R1 Level 3 SC-7(14)
NIST 800-171 R2 (source) 3.10.1
NIST 800-171 R3 (source) 03.10.08
NIST 800-171A R3 (source) A.03.10.08
PCI DSS 4.0.1 (source) 9.2.2 9.2.3
PCI DSS 4.0.1 SAQ B-IP (source) 9.2.2
PCI DSS 4.0.1 SAQ C (source) 9.2.2
PCI DSS 4.0.1 SAQ D Merchant (source) 9.2.2 9.2.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 9.2.2 9.2.3
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) PES-12.1
SCF CORE ESP Level 2 Critical Infrastructure PES-12.1
SCF CORE ESP Level 3 Advanced Threats PES-12.1
US (20)
Framework Mapping Values
US CERT RMM 1.2 EC:SG2.SP1
US CJIS Security Policy 5.9.3 (source) 5.9.1.4
US CMMC 2.0 Level 1 (source) PE.L1-B.1.VIII
US CMMC 2.0 Level 2 (source) PE.L2-3.10.1
US CMMC 2.0 Level 3 (source) PE.L2-3.10.1
US CMS MARS-E 2.0 PE-4
US FAR 52.204-21 52.204-21(b)(1)(viii)
US FedRAMP R4 PE-4
US FedRAMP R4 (moderate) PE-4
US FedRAMP R4 (high) PE-4
US FedRAMP R5 (source) PE-4
US FedRAMP R5 (moderate) (source) PE-4
US FedRAMP R5 (high) (source) PE-4
US HIPAA HICP Medium Practice 6.M.E
US HIPAA HICP Large Practice 6.M.E
US IRS 1075 PE-4
US NERC CIP 2024 (source) CIP-006-6 1.10
US NISPOM 2020 8-605
US - OR 646A 622(2)(d)(C)(ii)
US - TX TX-RAMP Level 2 PE-4
EMEA (1)
Framework Mapping Values
EMEA Israel CDMO 1.0 9.15 18.13
APAC (3)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0181 ISM-0187 ISM-0194 ISM-0195 ISM-0198 ISM-0201 ISM-0206 ISM-0208 ISM-0211 ISM-0213 ISM-0216 ISM-0217 ISM-0218 ISM-0926 ISM-1095 ISM-1096 ISM-1098 ISM-1100 ISM-1101 ISM-1102 ISM-1103 ISM-1105 ISM-1107 ISM-1109 ISM-1111 ISM-1112 ISM-1114 ISM-1115 ISM-1116 ISM-1119 ISM-1122 ISM-1130 ISM-1133 ISM-1164 ISM-1216 ISM-1639 ISM-1640 ISM-1718 ISM-1719 ISM-1720 ISM-1721
APAC Japan ISMAP 11.2.3
APAC New Zealand NZISM 3.6 8.3.3.C.01 8.3.3.C.02 8.3.4.C.01 8.3.4.C.02 8.3.5.C.01 10.1.42.C.01 10.1.42.C.02 10.1.43.C.01 10.1.43.C.02 10.1.43.C.03 10.1.43.C.04 10.1.44.C.01 10.1.45.C.01 10.1.45.C.02 10.1.46.C.01 10.1.46.C.02 10.1.46.C.03 10.1.46.C.04 10.1.47.C.01 10.1.47.C.02 10.1.48.C.01 10.1.48.C.02 10.1.48.C.03 10.1.49.C.01 10.1.50.C.01 10.1.50.C.02 10.1.50.C.03 10.1.50.C.04 10.1.51.C.01 10.2.6.C.01 10.2.6.C.02 10.2.7.C.01 10.2.8.C.01 10.2.9.C.01 10.2.10.C.01 10.3.5.C.01 10.3.6.C.01 10.3.6.C.02 10.3.7.C.01 10.3.8.C.01 10.3.9.C.01 10.3.10.C.01 10.3.11.C.01 10.3.12.C.01 10.3.13.C.01 10.4.4.C.01 10.4.4.C.02 10.4.5.C.01 10.4.5.C.02 10.4.6.C.01 10.4.6.C.02 10.4.6.C.03 10.4.7.C.01 10.4.7.C.02 10.4.8.C.01 10.4.9.C.01 10.4.9.C.02 10.4.9.C.03 10.4.9.C.04 10.4.10.C.01 10.4.11.C.01 10.4.12.C.01 10.4.13.C.01 10.4.13.C.02 10.5.4.C.01 10.5.5.C.01 10.5.6.C.01 10.5.6.C.02 10.5.7.C.01 10.5.8.C.01 10.5.8.C.02 10.5.9.C.01 10.5.9.C.02 10.5.10.C.01 10.5.10.C.02 10.5.11.C.01 10.6.22.C.01 10.6.22.C.02 10.6.23.C.01 10.6.23.C.02 10.6.23.C.03 10.6.23.C.04 10.6.24.C.01 10.6.24.C.02 10.6.25.C.01 10.6.26.C.01 10.6.27.C.01 10.6.28.C.01 10.6.28.C.02 10.6.29.C.01 10.6.30.C.01 10.6.31.C.01
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.10.08

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage.

Level 1 — Performed Informally

Physical & Environmental Security (PES) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Physical access control is decentralized.
  • Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).
  • Human Resources, or a similar function, maintains a current list of personnel and facilitates the implementation of physical access management controls.
Level 2 — Planned & Tracked

Physical & Environmental Security (PES) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Physical access control is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for physical access control.
  • Human Resources, or a similar function, maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.
  • Physical security controls are primarily administrative in nature (e.g., policies & standards).
  • Physical controls, administrative processes and technologies are primarily designed and implemented for offices, rooms and facilities that focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
  • A facilities maintenance team, or similar function, manages the operation of automated physical and environmental protection controls.
Level 3 — Well Defined

Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.

  • A physical security team, or similar function:
  • A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
  • Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
  • Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
Level 4 — Quantitatively Controlled

Physical & Environmental Security (PES) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to protect power and telecommunications cabling carrying data or supporting information services from interception, interference or damage.

Assessment Objectives

  1. PES-12.1_A01 system distribution and transmission lines requiring physical access controls are defined.
  2. PES-12.1_A02 security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined.
  3. PES-12.1_A03 physical access to system distribution and transmission lines within organizational facilities is controlled.
  4. PES-12.1_A04 managed interfaces to be protected against unauthorized physical connections are defined.
  5. PES-12.1_A05 managed interfaces are protected against unauthorized physical connections.

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free