Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
NIST 800-53 (r4) Supplemental Guidance:
Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices.
NIST 800-53 (r5) Discussion:
Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.
38North Guidance:
Meets Minimum Requirement:
Document the output devices in use in the datacenter.
Document the roles authorized to access and use output devices.
Secure all output devices by consolidating them in secure areas of the datacenter or using separate locked rooms.
Best Practice:
Avoid output devices unless strictly necessary.
Assign risk ratings to output devices based on their access.
Lock output devices in place (e.g. via locked tethers)
Document and execute processes/procedures for updating device firmware.
For unavoidable output devices (e.g. monitors), use on subnets that have limited to no access to datacenter operations (e.g. security station in lobby area).
For monitors that might display datacenter operations, ensure they are not visible from publicly accessible areas of the datacenter (e.g. ensure that monitors cannot be viewed through windows).
Consolidate output devices in a separately locked room.
Where possible, enforce additional access requirements for output devices (e.g. a PIN for a printer).
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review documentation that lists all output devices in use in the datacenter.
Review documentation describing the approach to securing output devices.
Review roles authorized to access and use output devices.
Physical inspection of output device security.
CSP Implementation Tips:
AWS: Fully inherited
Azure: Fully inherited
GCP: Fully inherited
Page updated
Report abuse