Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization positions information system components within the facility to minimize potential damage from [FedRAMP Assignment: physical and environmental hazards identified during threat assessment] and to minimize the opportunity for unauthorized access.
NIST 800-53 (r4) Supplemental Guidance
Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3.
NIST 800-53 (r5) Discussion
Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information.
38North Guidance:
Meets Minimum Requirement:
Conduct and document a physical threat assessment, either standalone or integrated into general risk assessment
Document / diagram datacenter architecture
Demonstrate protections against threats identified during physical threat assessment
Best Practice:
Consider weight limits when designing load bearing areas
Centrally locate system components
Build with fire prevention in mind, and use fire retardant materials that burn non-toxic
Employ Control Hazardous Energy (CoHE) / Lockout Tagout (LOTO) techniques when required.
If located in a flood zone, install pumping solutions that are integrated with long-term power options.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review physical threat assessment
Review documentation / diagrams that describe datacenter architecture
Inspect protections against threats identified during physical threat assessment
Verify components are positioned toward the interior of the datacenter to minimize physical and environmental hazards
CSP Implementation Tips:
AWS: Fully inherited.
Azure: Fully inherited.
GCP: Fully inherited.
Page updated
Report abuse