The RMF Control Family PE, Physical and Environmental Protection, addresses the need for organizations to protect their physical and environmental assets from unauthorized access, damage, or destruction.
Controls in the PE Security Control Family
The PE Security Control Family includes the following controls:
- PE-1: Policy and Procedures: This control requires organizations to develop and implement a physical and environmental protection policy and procedures. This policy should define the roles and responsibilities for physical and environmental protection, and the process for protecting physical and environmental assets.
- PE-2: Physical Access Authorization: This control requires organizations to restrict physical access to information systems and supporting infrastructure to authorized individuals.
- PE-3: Physical Access Control: This control requires organizations to implement security controls to control physical access to information systems and supporting infrastructure. These controls may include physical barriers, such as fences and gates, and electronic security systems, such as access control systems and video surveillance systems.
- PE-4: Access Control for Transmission Media: This control requires organizations to protect transmission media from unauthorized access, interception, or modification. This protection may include measures such as encrypting data and using physical security controls to protect transmission lines.
- PE-5: Access Control for Output Devices: This control requires organizations to control access to output devices, such as printers and plotters. This control helps to prevent unauthorized individuals from accessing sensitive information that may be printed or plotted.
- PE-6: Monitoring Physical Access: This control requires organizations to monitor physical access to information systems and supporting infrastructure. This monitoring may be done using a variety of methods, such as video surveillance systems and intrusion detection systems.
- PE-7: Visitor Control: This control requires organizations to implement procedures for controlling visitors to their facilities. These procedures may include requiring visitors to sign in and out, and escorting visitors throughout the facility.
- PE-8: Visitor Access Records: This control requires organizations to maintain records of visitor access to their facilities. These records can be used to investigate security incidents and to identify unauthorized individuals who may have accessed the facilities.
- PE-9: Power Equipment and Cabling: This control requires organizations to protect power equipment and cabling from damage or disruption. This protection may include measures such as placing power equipment in a secure location and using backup power generators.
- PE-10: Emergency Shutoff: This control requires organizations to have emergency shutoff procedures in place for power and other essential services. These procedures should be used to prevent damage to information systems and supporting infrastructure in the event of an emergency.
- PE-11: Emergency Power: This control requires organizations to have emergency power in place to support essential information systems and supporting infrastructure in the event of a power outage.
- PE-12: Emergency Lighting: This control requires organizations to have emergency lighting in place to provide illumination in the event of a power outage.
- PE-13: Fire Protection: This control requires organizations to have fire protection systems in place to detect and extinguish fires.
- PE-14: Temperature and Humidity Controls: This control requires organizations to maintain temperature and humidity levels within acceptable ranges for information systems and supporting infrastructure.
- PE-15: Water Damage Protection: This control requires organizations to protect information systems and supporting infrastructure from water damage. This protection may include measures such as installing water leak detection systems and placing equipment in elevated locations.
- PE-16: Delivery and Removal: This control requires organizations to implement procedures for the delivery and removal of equipment. These procedures should help to prevent unauthorized access to information systems and supporting infrastructure.
- PE-17: Alternate Work Site: This control requires organizations to have an alternate work site in place in the event that their primary work site is unavailable.
- PE-18: Location of Information System Components: This control requires organizations to document the location of information system components. This documentation can be used to recover from a security incident or to relocate information system components in the event of an emergency.
- PE-19: Information Leakage: This control requires organizations to implement measures to prevent information leakage. This may include measures such as educating employees on information security practices and using data loss prevention (DLP) systems