Physical & Environmental Protection (PE)
Last Reviewed: 5/9/2025
Physical & Environmental Protection Guidelines identify the policies and standards for the Risk Management family of controls
Understanding Physical and Environmental Protection (PE)
The Physical and Environmental (PE) control family explains how CMS must protect information systems by limiting who can physically access them, their equipment, and the environments where they operate. It also covers the need to protect the buildings and infrastructure that support these systems, ensure necessary utilities are available, and safeguard the systems from environmental dangers. PE controls outline the procedures for controlling physical access, managing records, handling emergencies, and protecting the physical location of the systems.
How PE Works at CMS
The Health and Human Services (HHS) has provided the Information Systems Security and Privacy Protection (IS2P), a policy framework used to safeguard data and systems from Information and Technology (IT) threats. From the requirements listed in IS2P, CMS has created Acceptable Risk Safeguards (ARS). The ARS outlines the minimum security and privacy standards that CMS and its contractors must follow. Additionally, CMS has the Information Systems Security and Privacy Policy (IS2P2) to define roles and responsibilities to ensure compliance with ARS 5.1 and IS2P.
Key Security Measures
Policy and Procedures
Unauthorized access and physical protection of the systems containing CMS assets and information is critical. The policy and procedure control states a policy must be developed, documented and disseminated to applicable personnel. CMS requirements for policy and procedures:
- CMS establishes the IS2P2 that defines the purpose, scope, roles and responsibilities and will be consistent with applicable laws, regulations, directives, executive orders, standards and guidelines.
- IS2P2 is reviewed at least every three hundred and sixty-five (365) days.
- At CMS, the CISO manages the development, documentation and dissemination of the PE policy and procedures.
Physical Access Authorizations
Unauthorized access to secure areas is a common threat for anything worth protecting. The physical access authorization control is a means to control that threat. At CMS:
- CMS develops, approves and maintains a list of all individuals requiring permanent physical access to CMS facilities.
- Access is granted via Personal Identity Verification (PIV) certificates provided by CMS that follow the standards set in the Homeland Security Presidential Directive 12 (HSPD-12).
- These lists are reviewed in routine intervals depending on system level to maintain accuracy.
- High Level systems are reviewed every 90 days
- Moderate Level systems are reviewed every 180 days
- Low Level systems are reviewed every 365 days.
- When an individual’s access to the facility is no longer required the PIV is destroyed and all lists updated to reflect a current roster.
- If the PIV cannot be collected then normal termination procedures are completed within 18 hours as directed in FIPS 201-3.
Physical Access Control
Having control of who enters a facility or a specific area within the facility is the main goal of physical access control. CMS ensures physical access control by:
- Securing facilities with appropriate entry controls and security measures. This includes:
- verifying individual access authorizations before granting access
- controlling entry and exit using guards or physical access systems
- maintaining access logs
- Ensuring that some components of information systems, like workstations or terminals, when located in publicly accessible areas, are safeguarded by controlling access to such devices.
- Escorting and monitoring visitors through CMS employees or authorized contractors responsible for visitors in the facility.
- Starting May 7th, 2025 visitors can only gain access to CMS facilities by verifying identity with a REAL ID or select approved acceptable identification
- Securing keys, combinations, and access devices, maintains an inventory of all defined physical access devices and reviewing the inventory at set intervals:
- Every 90 days for High systems
- Every 180 days for Moderate systems
- Every 365 days for Low systems.
- Changing combinations and keys every 365 days and/or when lost, compromised or if an individual in possession is transferred or terminated.
- Controlling physical access to areas with information system components to protect its data and systems from unauthorized access. This includes:
- locks on doors and windows
- security personnel
- authentication devices like biometrics or smart cards with PINs.
Access for Control Transmission
CMS uses various transmission methods to send data between locations. Exposed or easily accessible communication lines would be detrimental to CMS operations. To mitigate this, CMS implements the following security measures to control physical access to information system distribution and transmission lines.
- Storing lines in restricted areas, with access limited to authorized personnel to prevent theft, vandalism, and unauthorized changes.
- Controlling physical access by using card readers, PINs, or security guards.
- Protecting transmission lines with metal conduit to shield sensitive circuits from electromagnetic interference, damage and eavesdropping.
- Disabling unused physical ports to help secure the network from unauthorized access.
Access Control for Output Devices
Protecting digital information is important, but protecting forms of physical data is also a crucial part of PE controls. To prevent unauthorized access to output devices:
- CMS places devices like printers, copiers, scanners and monitors in secure, monitored areas.
- Only authorized individuals are allowed to access these devices, ensuring that unauthorized people cannot obtain the output.
- CMS provides personal printers for individual users and network printers for shared access. Personal printers are issued to employees with assigned offices or cubicles and can only be used when their laptop is docked.
- Network printers are shared by CMS employees and contractors with CMS-issued laptops.
- Safeguards include printing cover pages with user IDs to identify the print job originator
- Ensuring devices do not store data once the print job is completed.
- Employees working from Alternative Duty Stations (ADS) can print from home by connecting a personal USB printer to their CMS laptop, after signing a Print at Home Agreement.
- This agreement requires employees to protect CMS information, secure printed documents, and properly handle confidential data, including returning documents to CMS for proper disposal.
- Copier and scanner devices at CMS are in designated rooms and are used to manage internal documents.
- To ensure security, users must log in with their PIV credentials to access copying and scan-to-email functions, which helps control device use based on job responsibilities.
- Devices are configured so that no data is saved or stored after a copying or scanning task is completed.
- CMS follows the Health and Human Services (HHS) Rules of Behavior (RoB), which includes practices like locking workstations and removing PIV cards from laptops when they are left unattended.
- Before accessing CMS data, systems, or networks, all new users must read and sign an acknowledgment form agreeing to the HHS RoB, which they must complete annually.
CMS laptops are also set to automatically lock after 15 minutes of inactivity.
Monitoring Physical Access
CMS monitors physical access to its facilities to detect and respond to security incidents, such as unauthorized access during odd hours or unusual access patterns. CMS monitors physical access by:
- Using intrusion alarms and surveillance equipment, linked to the Physical Access Management (PAM) system, to detect unauthorized access and verify incidents.
- Collecting information by CMS’s electronic security systems is for security purposes and is not released without proper authorization.
- Using security staff to provide 24/7 real-time monitoring to identify potential security breaches. When incidents occur, staff follow established response plans that provide guidance for how to address physical security incidents.
- Reviewing physical access logs weekly.
- Sharing criminal evidence with only law enforcement.
- Providing administrative evidence with only managers or authorized personnel.
- Retaining video surveillance for only 14 days and providing additional monitoring in areas containing information system components.
- Monitoring specific areas using access card readers to ensure only authorized personnel can enter.
- Utilizing security measures like mantraps- small, secured spaces with two sets of interlocking doors that never open at the same time, providing an extra layer of access control.
Visitor Access Records
CMS keeps visitor access records, either manually or through electronic systems, but these records are not required for publicly accessible areas. Visitor access records are retained for 2 years according to the National Archives and Records Administration (NARA) General Records Schedule (GRS) 5.6: Security Records and are reviewed every 30 days. If any anomalies are discovered, they will be reported to defined personnel or roles within the security plan. Automated tools, such as PAM, help capture, manage, and review these records, including visitor management tasks.
Power Equipment and Cabling
CMS is responsible for protecting power equipment and cabling from damage or destruction, both inside and outside its facilities. This includes equipment like generators, power cables, and uninterruptible power sources used in offices, data centers, and even self-contained entities like vehicles or satellites. CMS follows the GSA’s Facilities Standards (P100) to ensure proper protection. Access to critical infrastructure, including power generators and HVAC systems, is restricted to authorized personnel, and environmental detection devices are used for added security. GSA’s Facilities Standards (P100) to ensure proper protection. Access to critical infrastructure, including power generators and HVAC systems, is restricted to authorized personnel, and environmental detection devices are used for added security.
Emergency Shutoff
Emergency shutoff switches or devices allow power to be turned off in emergency situations to protect the information system or individual components. These switches are placed in safe locations, ensuring easy access without risk to personnel and preventing unauthorized or accidental activation. CMS uses Emergency Power Off (EPO) buttons, clearly marked and installed at exit doors, as part of its safety measures to quickly shut off power in an emergency.
Emergency Power
In case of a power loss, CMS uses a short-term Uninterruptible Power Supply (UPS) to ensure an orderly shutdown or switch to a long-term power supply. UPS provides immediate backup power using battery storage to protect against interruptions. CMS also uses a web-based monitoring system to oversee critical equipment, allowing for real-time monitoring and event management. For extended power outages, CMS relies on diesel-powered generators as a long-term backup power source. CMS follows the GSA’s Facilities Standards (P100) for all power supply requirements and uses asset management software to track and manage equipment maintenance.
Emergency Lighting
CMS ensures that automatic emergency lighting is in place to illuminate emergency exits and evacuation routes during power outages or disruptions. This lighting system activates automatically to provide adequate visibility in these critical areas. CMS follows the GSA’s Facilities Standards (P100) and uses asset management software to plan, manage, and track the maintenance of the emergency lighting equipment.
Fire Protection
CMS uses fire protection systems that detect, control, and suppress fires to minimize damage and ensure operations continue smoothly.
- These systems, powered by independent energy sources, include fire detection devices that automatically notify personnel and emergency responders in case of a fire.
- smoke detectors
- heat detectors,
- pull stations,
- CMS follows GSA’s Facilities Standards (P100) for fire safety and utilizes asset management software to maintain these systems.
- Fire suppression systems, such as wet-pipe sprinklers and clean agent systems, are installed to automatically activate and suppress fires without human intervention.
- CMS also has a monitored fire alarm system that alerts key personnel, the Network Command Center (NCC), and local emergency responders when fire detection systems are triggered.
- The wet-pipe sprinkler system is heat-activated and responds only in the area where heat is detected.
Temperature and Humidity Controls
CMS maintains proper temperature and humidity levels in data centers and server rooms to ensure the reliability of network hardware. High temperatures can cause equipment to overheat, while excessive humidity can lead to condensation, corrosion, and early failure of components. Low humidity can result in Electrostatic Discharge (ESD), which can damage sensitive equipment. CMS keeps temperature and humidity levels within recommended ranges, using zone sensors to monitor conditions continuously. A web-based monitoring system provides real-time oversight of critical equipment, and asset management software helps plan and track necessary maintenance activities.
Water Damage Protection
Shut-off valves are used to prevent water damage by stopping the water supply in case of a leak. Main shut-off valves protect information system resources from water damage, while isolation valves can be used for maintenance or safety and may be added or replace main valves. CMS follows the GSA’s Facilities Standards (P100) to ensure proper protection, providing easily accessible and functional valves known to key personnel. Automated systems, like water detection sensors and alarms, are in place to detect water near the information systems and alert personnel. CMS uses asset management software to plan, manage, and track the maintenance of these systems.
Delivery and Removal
CMS controls and monitors the entry and exit of information system components by restricting access to delivery areas and possibly isolating them from sensitive areas like media libraries. CMS uses procedures to authorize, monitor, and track the movement of these components, ensuring secure storage and maintaining records of all entries and exits.
Alternate Work Site
Alternate work sites are part of CMS’s contingency operations and allows employees to work from different locations during emergencies. These sites are secured with specific controls based on the activities conducted there.
- Telework, which is part of the Continuity of Operations (COOP) plan, helps ensure that essential functions continue during disruptions like bad weather, pandemics, or other events that might close government offices.
- The Telework Enhancement Act of 2010 encourages agencies to use flexible work arrangements, including telework during emergencies.
- Participation in CMS’s telework program is voluntary, but employees must sign a telework agreement.
- In certain situations, like office closures or emergencies, CMS may require situational teleworking. Contractors may also telework if allowed by their supervisor.
- CMS’s policy that governs teleworking is in the Collective Bargaining Agreement under Article 29.
- Employees who were previously teleworking and are now required to return to the office can find guidance in this Return to Office memo.
- CMS ensures security at alternate work sites through measures like Virtual Private Networks (VPN), multi-factor authentication, encryption, and anti-virus software.
- Employees must follow security procedures, such as the HHS Rules of Behavior, for remote work. For security issues, employees can contact the CMS IT Service Desk.
Location of Information System Components
The placement of information system components within a facility is important to reduce the risk of damage from physical and environmental hazards and to limit the chance of unauthorized access. Careful consideration is needed when deciding where to place entry points, as unauthorized individuals nearby could attempt to access sensitive systems, possibly using tools like wireless sniffers or microphones. Properly positioning these components helps minimize these risks and ensures better security.
Summary of PE Protection within CMS
The PE control family emphasizes the importance of safeguarding information systems through stringent physical access controls, the protection of supporting infrastructure, and ensuring the availability of essential utilities. By focusing on the security of both the systems and their operating environments, PE controls aim to mitigate risks posed by physical threats and environmental hazards, ensuring the continued integrity and functionality of these critical systems.