Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [FedRAMP Assignment: (H) at least every ninety days, (L) (M) at least annually]; and
d. Removes individuals from the facility access list when access is no longer required.
NIST 800-53 (r4) Supplemental Guidance
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3.
NIST 800-53 (r5) Discussion
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.
38North Guidance:
Meets Minimum Requirement:
Show the ability to maintain a well-organized, protected list of individuals with authorized access to the facility in a formal manner.
Have a system for tracking the issuance of authorization credentials for facility access.
Conduct reviews of the access list IAW the timeframes established by the system categorization.
Maintain a process for removing individuals from facility access list when access is no longer required.
Best Practice:
Use a secure, limited access system for listing those individuals with system access.
Show in this system who signed off on their access, when credentials were issued, what the individual's role is, if there are any limitations to their access and if/when access was terminated.
Review access list every 90 days regardless of system categorization.
Have a manager sign off on the access list following each review.
Clearly integrate physical security personnel into the personnel termination process to ensure that access to facilities is immediately revoked following termination.
Maintain a centralized digital system that allows for instant revocation of physical access in the event of termination (e.g. limit use of physical old school keys, especially at the perimeter and rely on dedicated badges rather than general purpose cards like driver's licenses).
Have a separate registry for tracking individual credentials and types.
Integrate physical security and access control into employee onboarding and employee out-processing procedures.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Access list
Credentials types and lists
Evidence of access control list reviews (e.g. an email indicating completion, or a signed form attached to the list)
Description of process re: terminating access and evidence of recent access terminations.
Review evidence of how physical access is requested and approved, and how credentials are issued.
Sample of a new physical access request with approval
CSP Implementation Tips:
AWS: fully inherited
Azure: fully inherited
GCP: fully inherited
Page updated
Report abuse