Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [FedRAMP Assignment: (L) (M) (H) at least monthly] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability.
NIST 800-53 (r4) Supplemental Guidance:
Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.
Related controls: CA-7, IR-4, IR-8.
NIST 800-53 (r5) Discussion:
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2, if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.
38North Guidance:
Meets Minimum Requirement:
Organizations have a fair degree of latitude to define. However physical access will need to be monitored, at least electronically (e.g. badge readers).
Ensure effective, consistent application of the selected monitoring strategy for all physical access points.
Document the process, timeline and criteria for reviewing physical access logs.
Review access logs at least monthly. Document the results of these reviews.
Report results to incident response personnel.
Best Practice:
Adopt a layered approach, with card readers, guards, video, and sensors used to not only control access, but to monitor it continuously.
Store access data for one year.
Implement automated alerting to identify anomalies (e.g. out-of-sequence access).
Implement visual and auditory alarm systems.
Encourage appropriately-permissioned staff to undertake reviews at their discretion, in addition to the officially mandated reviews.
Physical security incidents are logged and tracked in a ticketing system.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review documentation of physical access points.
Review documentation of physical access control measures in place at physical access points.
Review evidence of physical access log reviews.
Review reports distributed to incident response teams members.
Examine physical access security measures.
CSP Implementation Tips:
AWS: Fully inherited
Azure: Fully inherited
GCP: Fully inherited
Page updated
Report abuse