NIST 800-53 r5 · Controls catalogue · Family PE
PE-3Physical Access Control
Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by: Verifying individual access authorizations before granting access to the facility; and Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }}; Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }}; Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }}; Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }}; Secure keys, combinations, and other physical access devices; Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and Change combinations and keys {{ insert: param, pe-3_prm_9 }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-306 | Missing Authentication for Critical Function | 2,567 | Requires verification of individual access authorizations before granting facility entry, addressing missing authentication for critical physical access. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Mandates securing keys/combinations, periodic inventory, and rotation on compromise or personnel changes to correct improper physical permission assignments. |
CWE-552 | Files or Directories Accessible to External Parties | 540 | Controls access to facility areas (including publicly accessible zones) to prevent external parties from reaching internal resources or sensitive locations. |
CWE-778 | Insufficient Logging | 23 | Requires maintenance of physical access audit logs, directly mitigating insufficient logging of access attempts and events. |
CWE-1263 | Improper Physical Access Control | 13 | Directly implements physical access authorizations, ingress/egress controls, visitor escorting, and key/combination management to prevent unauthorized physical entry. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2024-0148 | 1.5 | 7.6 | 0.0007 | good |
CVE-2025-24200 KEV | 6.1 | 6.1 | 0.4816 | good |
CVE-2025-24984 KEV | 3.1 | 4.6 | 0.0283 | good |
CVE-2026-30704 | 1.8 | 9.1 | 0.0006 | good |
CVE-2024-48831 | 1.7 | 8.4 | 0.0010 | good |
CVE-2026-23853 | 1.7 | 8.4 | 0.0001 | good |
CVE-2026-24154 | 1.5 | 7.6 | 0.0003 | good |
CVE-2024-44286 | 1.5 | 7.5 | 0.0009 | good |
CVE-2024-57261 | 1.4 | 7.1 | 0.0002 | good |
CVE-2024-57254 | 1.4 | 7.1 | 0.0006 | good |
CVE-2024-57061 | 2.0 | 9.8 | 0.0051 | good |
CVE-2024-48123 | 1.7 | 8.4 | 0.0006 | good |
CVE-2024-56182 | 1.6 | 8.2 | 0.0001 | good |
CVE-2024-56181 | 1.6 | 8.2 | 0.0001 | good |
CVE-2025-21103 | 1.6 | 7.8 | 0.0007 | good |
CVE-2024-11147 | 1.5 | 7.6 | 0.0011 | partial |
CVE-2026-32606 | 1.5 | 7.6 | 0.0001 | good |
CVE-2024-12136 | 1.4 | 6.9 | 0.0001 | good |
CVE-2024-57259 | 1.4 | 7.1 | 0.0007 | good |
CVE-2025-20641 | 1.3 | 6.6 | 0.0003 | good |