Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement provides additional monitoring for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, communications centers). Related controls: PS-2, PS-3.
NIST 800-53 (r5) Discussion:
Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization.
38North Guidance:
Meets Minimum Requirement:
Define and document areas of the facility that have a high concentration of information system components.
Define and document the extra security monitoring and physical access control applied to these areas.
Best Practice:
Design a facility such that core components are housed centrally OR are easy to otherwise physically segregate from high traffic areas.
Have additional layers of security and monitoring applied to those areas (e.g. additional guards, additional security cameras, additional alarms, badge readers, centralized key checkout, etc.)
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review documentation identifying areas of the facility that have a high concentration of information system components.
Review documentation describing the additional measures in place to secure these areas.
Physically inspect the additional measures.
CSP Implementation Tips:
AWS: Fully inherited
Azure: Fully inherited
GCP: Fully inherited
Page updated
Report abuse