Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [FedRAMP Assignment: (L) (M) (H) CSP defined physical access control systems/devices AND guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [FedRAMP Assignment: (L) (M) (H) in all circumstances within restricted access area where the information system resides];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [FedRAMP Assignment: (L) (M) (H) at least annually]; and
g. Changes combinations and keys [FedRAMP Assignment: at least annually] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
NIST 800-53 (r4) Supplemental Guidance:
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3.
NIST 800-53 (r5) Discussion:
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
38North Guidance:
Meets Minimum Requirement:
Define entrance and exit points that allow access to the information system.
Implement physical access controls that protect the information system from unauthorized access.
Use physical security measures and security guards to protect the information system.
Maintain physical access logs showing who accessed the facility.
Document the physical controls in place for areas of the facility designated as publicly accessible (e.g. a lobby).
Escort all visitors and monitor activity in areas where the information system resides.
For those physical means of access not specifically provided to an individual (e.g. keys to server racks, access cards, storage access, etc.) manage these assets and secure them.
Inventory physical access devices at least annually.
Change physical access devices at least annually or when individuals are terminated or transfer.
Best Practice:
Use multifactor authentication for physical access control
Develop and implement visitor procedures to facilitate check-in, logging of visit, and escorting.
Use man-traps at secure entrances to prevent tailgating
Install security alarms and video surveillance at the physical location.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review of documented entrance and exit points and associated security measures
Physical inspection of security measures.
Interviews with guards and a review of guard schedules.
Review of physical access logs.
Evidence of visitor escort.
Review of secure storage of physical access devices (e.g. keys).
Review evidence of annual device inventory.
Review evidence of changes to physical access devices when rotated due to termination or transfer.
CSP Implementation Tips:
AWS: Fully inherited.
Azure: Fully inherited.
GCP: Fully inherited.
Page updated
Report abuse