Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement provides additional physical security for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers). Related control: PS-2.
NIST 800-53 (r5) Discussion:
Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components.
38North Guidance:
Meets Minimum Requirement:
In addition to controlling access to the facility at large, separate physical access controls must be provided for areas where information system components are housed. These can include server racks, media storage, data center monitoring, etc.
Document areas where information system components are concentrated and describe additional controls in place.
Implement additional physical access controls (e.g. dedicated key cards) for access to specific areas.
Best Practice:
Do not issue dedicated physical access devices to employees for accessing information system components. Instead centrally manage these devices and require personnel to log them out as needed.
Design facilities such that access to areas such as conference rooms and offices are segregated from information system components, and have dedicated access control.
Ensure that video monitoring has visibility into information system components.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review documentation describing layered physical access controls.
Physically inspect layered physical access control.
CSP Implementation Tips:
AWS: Fully inherited
Azure: Fully inherited
GCP: Fully inherited
Page updated
Report abuse