About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
PE-2 - Physical Access Authorizations
Control requirements
PE-2 (a)
Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides.
PE-2 (b)
Issue authorization credentials for facility access.
PE-2 (c)
Review the access list detailing authorized facility access by individuals [IBM Assignment: at least annually].
PE-2 (d)
Remove individuals from the facility access list when access is no longer required.
NIST supplemental guidance
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.