3.9 PE
735 paragraphs across nine sections. Here is what makes this page structurally distinct from the others in the library and why the design decisions matter operationally.
What makes this family different from every other
The PE family is the only NIST 800-171 family where the NIST SP 800-171A Test method includes physical inspection — the assessor will walk your building. Documentation satisfies the Examine method. The Interview method checks awareness. But only a site visit confirms whether the server room door actually requires a card and PIN, whether CCTV covers the entrance, whether visitors are genuinely escorted rather than waved through. This means PE is the one family where a well-written SSP can describe controls that simply do not exist in practice, and the assessor will find this out within the first 20 minutes of the assessment day.
The practical implication is that every physical control described in this page must exist in reality before the assessment, and the assessment preparation checklist (Section 7) includes steps that require you to walk your own facility and test your own controls first.
The three-zone model and why it matters for evidence
The three-zone physical security model (Zone 1 public, Zone 2 office, Zone 3 server room) is the organisational structure that makes the access device register coherent. Without a defined zone model, the access authorisation list is just a list of people with key cards — it cannot answer the assessor's question "who is authorised to access the server room?" With zones, that question has a precise answer: the Zone 3 authorised persons list, which is a named subset of the Zone 2 list.
The zone model also simplifies the quarterly access anomaly review (EV-D23). Rather than reviewing every ACS event, the reviewer focuses on Zone 3 activity: who accessed the server room, when, and was it during an approved maintenance window? After-hours Zone 3 access without a pre-approved maintenance window is an anomaly worth investigating. General Zone 2 access during business hours is normal and does not require individual scrutiny.
The CCTV section — ICO compliance is not optional
Section 4 includes ICO CCTV Code of Practice requirements alongside the NIST and ISO 27001 requirements. This is intentional and not optional for UK organisations. Operating CCTV without ICO registration, without prominent signage at all entry points, without a DPIA, or without a subject access request process exposes the organisation to regulatory enforcement action that would be entirely separate from (and potentially more immediately damaging than) a CMMC non-compliance finding.
The ICO requirements are included because they interact directly with 3.10.2 evidence. An assessor finding that CCTV signage is missing or that the ICO registration has lapsed will note this as a concern regardless of whether ICO compliance is strictly within the NIST scope — it reflects on the overall physical security governance posture. More practically, CCTV footage that was obtained in breach of the UK GDPR cannot be lawfully used as evidence in a legal proceeding arising from a physical security incident.
The 31-day minimum retention in the CCTV standard exceeds the ICO's suggested minimum (which they describe as a guideline rather than a hard rule) but is in line with industry practice for organisations that might need to review footage for a slowly-developing insider threat or a loss discovered after a weekend. Extended retention for server room and entry point cameras (up to 90 days, matching the visitor log retention) ensures that footage corresponding to any visitor log entry can still be retrieved during the review period.
The home worker checklist — the evidence gap that surprises most organisations
Section 5 contains the 17-item home office security checklist covering three areas: home network security, device security, and physical work area security. The physical work area section is the one most organisations either omit entirely or discover they cannot satisfy when they first deploy it.
The specific controls that reveal gaps most reliably are the private work area requirement (kitchen tables and open-plan living areas are the most common CUI processing locations) and the printed CUI control (home printers frequently do not have a cross-cut shredder available). Neither of these can be compensated by technical controls — they require a change in working practice or physical environment.
The checklist is designed to be self-attestation rather than a compliance audit — it cannot be independently verified for every remote worker. The compensating assurance mechanisms are the quarterly MDM compliance check (verifying device-level technical controls) and the remote worker interview during an assessment. Assessors routinely select two or three remote workers to interview, and the interview questions in Section 7 ("where do you work when at home, what do you do when you leave the laptop unattended, how do you dispose of printed CUI material") are designed to test exactly the physical security controls that the checklist attests to.
The tracking mechanism matters as much as the checklist itself. A checklist that 60% of people complete has 40% of the remote CUI population with no evidence of control. Build the completion tracking into the LMS if possible, or use a SharePoint form — paper checklists returned to IT by email are difficult to track systematically.
The dual ownership model
The page is co-owned by Facilities Manager and CISO — the only page in the library with a non-IT primary owner. This reflects the reality that physical security is a facilities management responsibility in most organisations, not an IT responsibility. The CISO has overall accountability for the information security controls that the physical access controls protect, but the day-to-day operation (ACS management, visitor log maintenance, CCTV operation, UPS testing) belongs to Facilities.
This creates a coordination dependency that is often handled poorly: Facilities manages the ACS but does not know which accounts in the ACS correspond to departed employees; IT knows who has left but does not have ACS management access to deactivate the cards. The leaver checklist integration (EV-D04 links to ACS deactivation) is the process control that bridges this gap. Common finding two in Section 8 — cards deactivated 3–10 days after departure — is almost always a coordination failure between IT and Facilities, not a policy failure.
Cross-linking in Confluence
The AT-PE page connects to five other pages. Link to AT-MP (the media storage cabinet physical protection in AT-MP 3.8.1 and 3.8.5 depends on the Zone 3 physical access controls defined here — the locked media cabinet is inside a locked server room). Link to AT-AC (the physical access authorisation list for Zone 3 mirrors the logical privileged account list — both have the same small group of authorised individuals, and both are reviewed quarterly in EV-D01 and EV-D23 respectively). Link to AT-AU (physical access events from the ACS are a log source in the AU Section 3 log source inventory — the PE controls generate the log data that AU controls require to be retained and reviewed). Link to the HR Security Policy (the leaver procedure in that policy triggers the ACS card deactivation that satisfies 3.10.5's revocation requirement). And link to AT-MA (Maintenance, 3.7.6) — maintenance personnel who access Zone 3 are subject to the visitor management procedure in 3.10.3, and the two controls are satisfied by the same visitor log entry and Zone 3 escort record.
Updated library status
Ten of the fourteen family pages are now complete:
| Page | Controls | CMMC L1 |
|---|---|---|
| AT-AC · Access Control | 22 | 4 |
| AT-AT · Awareness and Training | 3 | 0 |
| AT-AU · Audit and Accountability | 9 | 0 |
| AT-CM · Configuration Management | 9 | 0 |
| AT-IA · Identification and Authentication | 11 | 2 |
| AT-MP · Media Protection | 9 | 1 |
| AT-PE · Physical Protection | 6 | 4 |
| AT-SC · System and Comms Protection | 16 | 2 |
| AT-SI · System and Info Integrity | 7 | 4 |
Four families remain to complete the NIST 800-171 library: AT-IR (Incident Response, 3 controls), AT-MA (Maintenance, 6 controls), AT-PS (Personnel Security, 2 controls), AT-RA (Risk Assessment, 3 controls), and AT-CA (Security Assessment, 4 controls — the master SSP document that cross-references every other family page). Click any family card in the interactive browser to generate the next page.