NIST PR.AC-2: Physical Access Management
Physical access is the foundation of your cybersecurity posture—unauthorized physical access can bypass all technical controls. PR.AC-2 requires you to implement and maintain systems that manage who enters your facilities and accesses critical assets. For SMBs, this means establishing clear policies and practical controls that protect servers, networks, and sensitive data without excessive overhead.
What this means
PR.AC-2 mandates that organizations implement controls to manage and monitor physical access to facilities, equipment, and assets that contain or process sensitive information. This includes access controls at building entrances, server rooms, network closets, and any area housing critical infrastructure. The control requires you to establish who is authorized, verify their identity, log access events, and revoke access when no longer needed. Effective physical access management prevents theft, tampering, and unauthorized system modification.
How to comply
- 1.Define physical security perimeter boundaries around facilities and sensitive areas containing IT assets
- 2.Establish and document access control policies specifying who may enter each area and under what conditions
- 3.Implement access mechanisms such as badge readers, biometric systems, or sign-in logs to track entry and exit
- 4.Assign unique identifiers to all personnel and contractors who require physical access
- 5.Monitor and log all physical access attempts, both successful and failed entries
- 6.Review access logs regularly to identify unauthorized access attempts or policy violations
- 7.Revoke physical access credentials immediately upon employee termination or role change
- 8.Conduct periodic audits of who has access to sensitive areas and remove unnecessary permissions
- 9.Implement visitor management procedures including escort requirements and temporary credential issuance
- 10.Maintain environmental controls in sensitive areas (surveillance cameras, motion sensors) to detect unauthorized access
Evidence auditors look for
- Physical access policy document outlining facility entry procedures and authorization requirements
- Access control system configuration showing which badge readers or biometric systems are deployed
- Access logs or badge swipe reports covering a sample period (minimum 3 months)
- List of authorized personnel with their access levels and facility areas granted
- Visitor sign-in sheets or temporary credential records with dates and escort information
- Procedure for revoking access when employees are terminated, with evidence of deactivated badges
- Security camera footage or access attempt logs showing monitoring of sensitive areas
- Periodic access review documentation showing authorization verification and removal of stale access
- Incident reports related to unauthorized physical access attempts or policy violations
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the tracking and auditing of physical access by integrating access logs, generating compliance reports, and alerting you when access reviews are due—eliminating manual log reviews and ensuring PR.AC-2 evidence is always ready.
See how GRCWatch handles this control automatically
Start free trial