UNITED24 - Make a charitable donation in support of Ukraine!


Chapter 7

Access Control

Perimeter barriers, intrusion-detection devices, and protective lighting provide physical-security safeguards; however, they alone are not enough. An access-control system must be established and maintained to preclude unauthorized entry. Effective access-control procedures prevent the introduction of harmful devices, materiel, and components. They minimize the misappropriation, pilferage, or compromise of materiel or recorded information by controlling packages, materiel, and property movement. Access-control rosters, personal recognition, ID cards, badge-exchange procedures, and personnel escorts all contribute to an effective access-control system.

DESIGNATED Restricted Areas

7-1. The installation commander is responsible for designating and establishing restricted areas. A restricted area is any area that is subject to special restrictions or controls for security reasons. This does not include areas over which aircraft flight is restricted. Restricted areas may be established for the following:

  • The enforcement of security measures and the exclusion of unauthorized personnel.
  • Intensified controls in areas requiring special protection.
  • The protection of classified information or critical equipment or materials.

Degree of Security

7-2. The degree of security and control required depends on the nature, sensitivity, or importance of the security interest. Restricted areas are classified as controlled, limited, or exclusion areas.

  • A controlled area is that portion of a restricted area usually near or surrounding a limited or exclusion area. Entry to the controlled area is restricted to personnel with a need for access. Movement of authorized personnel within this area is not necessarily controlled since mere entry to the area does not provide access to the security interest. The controlled area is provided for administrative control, for safety, or as a buffer zone for in-depth security for the limited or exclusion area. The commander establishes the control of movement.
  • A limited area is a restricted area within close proximity of a security interest. Uncontrolled movement may permit access to the item. Escorts and other internal restrictions may prevent access within limited areas.
  • An exclusion area is a restricted area containing a security interest. Uncontrolled movement permits direct access to the item.

7-3. The security protection afforded by a restricted area pertains particularly to subversive-activity control; that is, protection against espionage, sabotage, or any such action adversely affecting national defense. Within this context, the designation "restricted area" is not applicable to an area solely for protection against common pilferage or misappropriation of property or material that is not classified or not essential to national defense. For example, an area devoted to the storage or use of classified documents, equipment, or materials should be designated as a restricted area to safeguard against espionage. An installation communications center should also be so designated to safeguard against sabotage. On the other hand, a cashier's cage or an ordinary mechanic's tool room should not be so designated, although the commander may impose controls to access. This may be a simple matter of posting an "off limits to unauthorized personnel" sign. The PM or the physical-security manager acts as an advisor to the commander. In his recommendations, he must consider evaluating the purpose of designating a restricted area and coordinating with the intelligence officer and the staff judge advocate (SJA).

7-4. A restricted area must be designated in writing by the commander and must be posted with warning signs according to AR 190-13. In areas where English is one of two or more languages commonly spoken, warning signs will be posted in English and in the local language (see Figure 7-1 below).

7-5. An installation may have varying degrees of security. It may be designated in its entirety as a restricted area, with no further restrictions; or it may be subdivided into controlled, limited, or exclusion areas with restrictions of movement and specific clear zones. Figure 7-2 depicts a simplified restricted area and the degrees of security.


7-6. There are other important considerations concerning restricted areas and their lines of division. These considerations include the following:

  • A survey and analysis of the installation, its missions, and its security interests. This can determine immediate and anticipated needs that require protection. Anticipated needs are determined from plans for the future.
  • The size and nature of the security interest being protected. Safes may provide adequate protection for classified documents and small items; however, large items may have to be placed within guarded enclosures.
  • Some security interests are more sensitive to compromise than others. Brief observation or a simple act by an untrained person may constitute a compromise in some cases. In others, detailed study and planned action by an expert may be required.
  • All security interests should be evaluated according to their importance. This may be indicated by a security classification such as confidential, secret, or top secret.
  • Parking areas for privately owned vehicles (POVs) are established outside of restricted areas. Vehicle entrances must be kept at a minimum for safe and efficient control.
  • Physical protective measures (such as fences, gates, and window bars) must be installed.

Employee Screening

7-7. Screening job applicants to eliminate potential acts of espionage and sabotage and other security risks is important in peacetime and is critical during a national emergency. Personnel screenings must be incorporated into standard personnel policies.

7-8. An applicant should be required to complete a personnel security questionnaire, which is then screened for completeness and used to eliminate undesirable applicants. A careful investigation should be conducted to ensure that the applicant's character, associations, and suitability for employment are satisfactory. The following sources may be helpful in securing employment investigative data:

  • State and local police (including national and local police in overseas areas).
  • Former employers.
  • Public records.
  • Credit agencies.
  • Schools (all levels).
  • References. (These references should include those names not furnished by the applicant. These are known as throw offs, and they are obtained during interviews of references furnished by applicants.)
  • Others as appropriate. (These may include the FBI, the US Army Criminal Records Repository, and the Defense Investigative Agency).

7-9. Medical screening considerations should be made (based on an applicant's position [such as a guard]) to evaluate physical and mental stamina. Once an applicant has been identified for employment, he is placed on an access-control roster.

Identification System

7-10. An ID system is established at each installation or facility to provide a method of identifying personnel. The system provides for personal recognition and the use of security ID cards or badges to aid in the control and movement of personnel activities.

7-11. Standard ID cards are generally acceptable for access into areas that are unrestricted and have no security interest. Personnel requiring access to restricted areas should be issued a security ID card or badge as prescribed in AR 600-8-14. The card's/badge's design must be simple and provide for adequate control of personnel.

7-12. A security ID card/badge system must be established for restricted areas with 30 or more employees per shift. Commanders may (at their discretion) authorize a card/badge system in restricted areas for less than 30 people.

ID Methods

7-13. Four of the most commonly used access-control ID methods are the personal-recognition system, the single-card or -badge system, the card- or badge-exchange system, and the multiple-card or -badge system.

Personal-Recognition System

7-14. The personal-recognition system is the simplest of all systems. A member of the security force providing access control visually checks the person requesting entry. Entry is granted based on—

  • The individual being recognized.
  • The need to enter has been established.
  • The person is on an access-control roster.

Single-Card or -Badge System

7-15. This system reflects permission to enter specific areas by the badge depicting specific letters, numbers, or particular colors. This system lends to comparatively loose control and is not recommended for high-security areas. Permission to enter specific areas does not always go with the need to know. Because the ID cards/badges frequently remain in the bearer's possession while off duty, it affords the opportunity for alteration or duplication.

Card- or Badge-Exchange System

7-16. In this system, two cards/badges contain identical photographs. Each card/badge has a different background color, or one card/badge has an overprint. One card/badge is presented at the entrance to a specific area and exchanged for the second card/badge, which is worn or carried while in that area. Individual possession of the second card/badge occurs only while the bearer is in the area for which it was issued. When leaving the area, the second card/badge is returned and maintained in the security area. This method provides a greater degree of security and decreases the possibility of forgery, alteration, or duplication of the card/badge. The levels of protection described in TM 5-853-1 require multiple access-control elements as the levels of protection increase. In the case of the badge exchange, this system counts as two access-control elements.

Multiple-Card or -Badge System

7-17. This system provides the greatest degree of security. Instead of having specific markings on the cards/badges denoting permission to enter various restricted areas, the multiple card/badge system makes an exchange at the entrance to each security area. The card/badge information is identical and allows for comparisons. Exchange cards/badges are maintained at each area only for individuals who have access to the specific area.

Mechanized/Automated Systems

7-18. An alternative to using guards or military police (MP) to visually check cards/badges and access rosters is to use building card-access systems or biometric-access readers. These systems can control the flow of personnel entering and exiting a complex. Included in these systems are—

  • Coded devices such as mechanical or electronic keypads or combination locks.
  • Credential devices such as magnetic-strip or proximity card readers.
  • Biometric devices such as fingerprint readers or retina scanners.

7-19. Access-control and ID systems base their judgment factor on a remote capability through a routine discriminating device for positive ID. These systems do not require guards at entry points; they identify an individual in the following manner:

  • The system receives physical ID data from an individual.
  • The data is encoded and compared to stored information.
  • The system determines whether access is authorized.
  • The information is translated into readable results.

7-20. Specialized mechanical systems are ideal for highly sensitive situations because they use a controlled process in a controlled environment to establish the required database and accuracy. One innovative technique applied to ID and admittance procedures involves dimension comparisons. The dimension of a person's full hand is compared to previously stored data to determine entry authorization. Other specialized machine readers can scan a single fingerprint or an eye retina and provide positive ID of anyone attempting entry.

7-21. An all-inclusive automated ID and access-control system reinforces the security in-depth ring through its easy and rapid change capability. The computer is able to do this through its memory. Changes can be made quickly by the system's administrator.

7-22. The commercial security market has a wide range of mechanized and automated hardware and software systems. Automated equipment is chosen only after considering the security needs and the environment in which it operates. These considerations include whether the equipment is outdoors or indoors, the temperature range, and weather conditions. Assessment of security needs and the use of planning, programming, and budgeting procedures greatly assist a security manager in improving the security posture.

Card/Badge Specifications

7-23. Security cards/badges should be designed and constructed to meet the requirements of AR 600-8-14. Upon issuing a card/badge, security personnel must explain to the bearer the wear required and the authorizations allowed with the card/badge. This includes—

  • Designation of the areas where an ID card/badge is required.
  • A description of the type of card/badge in use and the authorizations and limitations placed on the bearer.
  • The required presentation of the card/badge when entering or leaving each area during all hours of the day.
  • Details of when, where, and how the card/badge should be worn, displayed, or carried.
  • Procedures to follow in case of loss or damage of the card.
  • The disposition of the card/badge upon termination of employment, investigations, or personnel actions.
  • Prerequisites for reissuing the card/badge.

Visitor Identification and Control

7-24. Procedures must be implemented to properly identify and control personnel. This includes visitors presenting their cards/badges to guards at entrances of restricted areas. Visitors are required to stay with their assigned escort. Guards must ensure that visitors stay in areas relating to their visit; an uncontrolled visitor, although conspicuously identified, could acquire information for which he is not authorized. Foreign-national visitors should be escorted at all times.

7-25. Approval for visitors should be obtained at least 24 hours in advance (if possible). Where appropriate, the installation should prepare an agenda for the visitor and designate an escort officer. Measures must be in place to recover visitor cards/badges on the visit's expiration or when they are no longer required.

7-26. Physical-security precautions against pilferage, espionage, and sabotage require the screening, ID, and control of visitors. Further information about visiting requirements and procedures are found in ARs 12-15 and 381-20. Visitors are generally classed in the following categories:

  • Persons with whom every installation or facility has business (such as suppliers, customers, insurance inspectors, and government inspectors).
  • Individuals or groups who desire to visit an installation or facility for personal or educational reasons. Such visits may be desired by educational, technical, or scientific organizations.
  • Individuals or groups specifically sponsored by the government (such as foreign nationals visiting under technical cooperation programs and similar visits by US nationals). Requests for visits by foreign nationals must be processed according to AR 380-10.
  • Guided tours to selected portions of the installation in the interest of public relations.

7-27. The ID and control mechanisms for visitors must be in place. They may include the following:

  • Methods of establishing the authority for admitting visitors and any limitations relative to access.
  • Positive ID of visitors by personal recognition, visitor permit, or other identifying credentials. Contact the employer, supervisor, or officer in charge to validate the visit.
  • The use of visitor registration forms. These forms provide a record of the visitor and the time, location, and duration of his visit.
  • The use of visitor ID cards/badges. The cards/badges bear serial numbers, the area or areas to which access is authorized, the bearer's name, and escort requirements.

7-28. Individual groups entering a restricted area must meet specific prerequisites before being granted access. The following guidance is for group access into a restricted area:


7-29. Before allowing visitors into a restricted area, contact the person or activity being visited. After verifying the visitor's identity, issue a badge, complete the registration forms, and assign an escort (if required). Visitors may include public-utility and commercial-service representatives.

Very Important Persons

7-30. The procedures for admitting very important persons (VIPs) and foreign nationals into restricted areas are contained in AR 12-15. Special considerations and coordination with the protocol office are necessary. A 24-hour advance notice is desirable for these requests, along with an agenda for the visit and the designation of an escort, if appropriate.

Civilians Working on Jobs Under Government Contract

7-31. To allow these personnel to conduct business in restricted areas, the security manager must coordinate with the procurement office. The security manager must also identify movement-control procedures for these employees.

Cleaning Teams

7-32. Supervisors using cleaning teams must seek technical advice from the physical-security office on internal controls for each specific building. This may include providing escorts.

DOD Employees in Work Areas After Normal Operating Hours

7-33. Supervisors establish internal controls based on coordination with the security manager. They also notify security personnel of the workers' presence, type, and duration of work.

Enforcement Measures

7-34. The most vulnerable link in any ID system is its enforcement. Security forces must be proactive in performing their duties. A routine performance of duty will adversely effect even the most elaborate system. Positive enforcement measures must be prescribed to enhance security. Some of these measures may include—

  • Designating alert and tactful security personnel at entry control points.
  • Ensuring that personnel possess quick perception and good judgment.
  • Requiring entry-control personnel to conduct frequent irregular checks of their assigned areas.
  • Formalizing standard procedures for conducting guard mounts and posting and relieving security personnel. These measures will prevent posting of unqualified personnel and a routine performance of duty.
  • Prescribing a uniform method of handling or wearing security ID cards/badges. If carried on the person, the card must be removed from the wallet (or other holder) and handed to security personnel. When worn, the badge will be worn in a conspicuous position to expedite inspection and recognition from a distance.
  • Designing entry and exit control points of restricted areas to force personnel to pass in a single file in front of security personnel. In some instances, the use of turnstiles may be advisable to assist in maintaining positive control.
  • Providing lighting at control points. The lighting must illuminate the area to enable security personnel to compare the bearer with the ID card/badge.
  • Enforcing access-control measures by educating security forces and employees. Enforcement of access-control systems rests primarily with the security forces; however, it is essential that they have the full cooperation of the employees. Employees must be instructed to consider each unidentified or improperly identified individual as a trespasser. In restricted areas where access is limited to a particular zone, employees must report unauthorized individuals to the security force.
  • Positioning ID card/badge racks or containers at entry control points so that they are accessible only to guard-force personnel.
  • Appointing a responsible custodian to accomplish control procedures of cards/badges according to AR 600-8-14. The custodian is responsible for the issue, turn in, recovery, and renewal of security ID cards/badges.

7-35. The degree of compromise tolerable in the ID system is in direct proportion to the degree of security required. The following control procedures are recommended for preserving the integrity of a card/badge system:

  • Maintenance of an accurate written record or log listing (by serial number) all cards and badges and showing those on hand, to whom they are issued, and their disposition (lost, mutilated, or destroyed).
  • Authentication of records and logs by the custodian.
  • A periodic inventory of records by a commissioned officer.
  • The prompt invalidation of lost cards/badges.
  • The conspicuous posting at security control points of current lists of lost or invalidated cards/badges.
  • The establishment of controls within restricted areas to enable security personnel to determine the number of persons within the area.
  • The establishment of the two-person rule (when required).
  • The establishment of procedures to control the movement of visitors. A visitor-control record will be maintained and located at entry control points.

Sign/Countersign and Code word

7-36. This method of verifying identity is primarily used in a tactical environment. According to the local SOP, the sign/countersign or code-word procedures must be changed immediately if compromised.

Duress Code

7-37. The duress code is a simple word or phrase used during normal conversation to alert other security personnel that an authorized person is under duress. A duress code requires planning and rehearsal to ensure an appropriate response. This code is changed frequently to minimize compromise.

Access-Control Rosters

7-38. Admission of personnel to a restricted area is granted to those identified and listed on an access-control roster. Pen-and-ink changes may be made to the roster. Changes are published in the same manner as the original roster.

7-39. Rosters are maintained at access control points. They are kept current, verified, and accounted for by an individual designated by the commander. Commanders or their designated representatives authenticate the rosters. Admission of persons other than those on the rosters is subject to specific approval by the security manager. These personnel may require an escort according to the local SOP.

Methods of Control

7-40. There are a number of methods available to assist in the movement and control of personnel in limited, controlled, and restricted areas. The following paragraphs discuss the use of escorts and the two-person rule:


7-41. Escorts are chosen because of their ability to accomplish tasks effectively and properly. They possess knowledge of the area being visited. Escorts may be guard-force personnel, but they are normally personnel from the area being visited. Local regulations and SOPs determine if a visitor requires an escort while in the restricted area. Personnel on the access list may be admitted to restricted areas without an escort.

Two-person Rule

7-42. The two-person rule is designed to prohibit access to sensitive areas or equipment by a lone individual. Two authorized persons are considered present when they are in a physical position from which they can positively detect incorrect or unauthorized procedures with respect to the task or operation being performed. The team is familiar with applicable safety and security requirements, and they are present during any operation that affords access to sensitive areas or equipment that requires the two-person rule. When application of the two-person rule is required, it is enforced constantly by the personnel who constitute the team.

7-43. The two-person rule is applied in many other aspects of physical-security operations, such as the following:

  • When uncontrolled access to vital machinery, equipment, or materiel might provide opportunity for intentional or unintentional damage that could affect the installation's mission or operation.
  • When uncontrolled access to funds could provide opportunity for diversion by falsification of accounts.
  • When uncontrolled delivery or receipt for materials could provide opportunity for pilferage through "short" deliveries and false receipts.
  • When access to an arms or ammunition storage room could provide an opportunity for theft. Keys should be issued so that at least two people must be present to unlock the locks required under the provisions of AR 190-11.

7-44. The two-person rule is limited to the creativity of the PM and the physical-security manager. They should explore every aspect of physical-security operations in which the two-person rule would provide additional security and assurance and include all appropriate recommendations and provisions of the physical-security plan. An electronic-entry control system may be used to enforce the two-person rule. The system can be programmed to deny access until two authorized people have successfully entered codes or swiped cards.

Security Controls of Packages, Personal PropertY, and Vehicles

7-45. A good package-control system helps prevent or minimize pilferage, sabotage, and espionage. The local SOP may allow the entry of packages with proper authorization into restricted areas without inspection. A package-checking system is used at the entrance gate. When practical, inspect all outgoing packages except those properly authorized for removal. When a 100 percent inspection is impractical, conduct frequent unannounced spot checks. A good package-control system assists in the movement of authorized packages, material, and property.

7-46. Property controls are not limited to packages carried openly, but they include the control of anything that could be used to conceal property or material. Personnel should not be routinely searched except in unusual situations. Searches must be performed according to the local SOP.

7-47. All POVs on the installation should be registered with the PM or the installation's physical-security office. Security personnel should assign a temporary decal or other temporary ID tag to visitors' vehicles to permit ready recognition. The decal or the tag should be distinctly different from that of permanent-party personnel.

7-48. When authorized vehicles enter or exit a restricted area, they undergo a systematic search, including (but not limited to) the—

  • Vehicle's interior.
  • Engine compartment.
  • External air breathers.
  • Top of the vehicle.
  • Battery compartment.
  • Cargo compartment.
  • Undercarriage.

7-49. The movement of trucks and railroad cars into and out of restricted areas should be supervised and inspected. Truck and railroad entrances are controlled by locked gates when not in use and are manned by security personnel when unlocked. The ID cards/badges are issued to operators to ensure proper ID and registration for access to specific loading and unloading areas.

7-50. All conveyances entering or leaving a protected area are required to pass through a service gate manned by security forces. Drivers, helpers, passengers, and vehicle contents must be carefully examined. The examination may include—

  • Appropriate entries in the security log (including the date, operator's name, load description, and time entered and departed).
  • A check of the operator's license.
  • Verification of the seal number with the shipping document and examination of the seal for tampering.

7-51. Incoming trucks and railroad cars must be assigned escorts before they are permitted to enter designated limited or exclusion areas. Commanders should establish published procedures to control the movement of trucks and railroad cars that enter designated restricted areas to discharge or pick up cargo (escorts will be provided when necessary).

7-52. The best control is provided when all of these elements are incorporated into access-control procedures. Simple, understandable, and workable access-control procedures are used to achieve security objectives without impeding operations. When properly organized and administered, access-control procedures provide a method of positively identifying personnel who have the need to enter or leave an area.


7-53. Access-control procedures during tactical operations may establish additional challenges for the commander. In some instances, the commander cannot provide a perimeter barrier (such as a fence) based on METT-TC. Commanders are still required to provide security measures for restricted areas, although they may not always have the necessary assets. Early-warning systems and the use of guards become crucial. A restricted area may become a requirement without prior notice during an operation. Figure 7-3 and Figure 7-4 below are examples of temporary tactical restricted and exclusion areas.

7-54. Commanders must plan for these considerations when developing their budget. Funding must be requested and set aside to support physical-security requirements during tactical operations. Resources will not always be available; therefore, commanders must implement procedures that support access-control measures. Improvising will become common practice to overcome shortfalls concerning access-control equipment in the field.




Join the GlobalSecurity.org mailing list