Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization authorizes, monitors, and controls [FedRAMP Assignment: (L) (M) (H) all information system components] entering and exiting the facility and maintains records of those items.
NIST 800-53 (r4) Supplemental Guidance
Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12.
NIST 800-53 (r5) Discussion
Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.
38North Guidance:
Meets Minimum Requirement:
Document the process and associated procedures for authorizing, monitoring and controlling information system components entering and exiting the facility.
Designate specific roles as being responsible for controlling assets as they enter and exit the facility.
Ensure that personnel understand their roles and responsibilities with respect to controlling the entrance and exit of information system components.
Best Practice:
Do not allow assets to leave the datacenter without first being sanitized unless special exemption is granted by senior personnel.
While delivery personnel need access to the datacenter, do not provide persistent access.
Ensure that all packages containing IT assets are checked in and signed for.
Deliveries of IT assets should be immediately segregated in a secure portion of the datacenter.
IT personnel should inspect delivery of IT assets and validate that delivered items match purchase orders and arrive in expected condition in sealed packages.
When possible IT equipment should be scanned and / or formatted prior to release.
Tag all assets for inventory management.
Consider automated asset tracking solutions (e.g. RFID).
Consider installing a Datacenter Inventory Management Solution.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review documentation describing process and procedures for entrance and exit of information system components.
Interview personnel to validate that practice conforms to documentation.
Examine delivery records (or tickets) for components
Record of components entering and exiting the facility
CSP Implementation Tips:
AWS: Fully inherited.
Azure: Fully inherited.
GCP: Fully inherited.
Page updated
Report abuse