Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Maintains visitor access records to the facility where the information system resides for [FedRAMP Assignment: (L) (M) (H) for a minimum of one (1) year]; and
b. Reviews visitor access records [FedRAMP Assignment: (L) (M) (H) at least monthly].
NIST 800-53 (r4) Supplemental Guidance:
Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas.
NIST 800-53 (r5) Discussion
Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.
38North Guidance:
Meets Minimum Requirement:
Maintain a visitor access record system for a minimum of one (1) year.
Review visitor access records at least monthly.
Document reviews in a reviewable form.
Best Practice:
Maintain records electronically, tied to photos taken onsite.
Use an electronic review system to flag repeated or suspicious access.
Collect all the requested information in the supplemental guidance.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review documentation describing policies and procedures pertaining to visitor access.
Review visitor access records to ensure that they are completed (including name, date, time in, time out, and signature) and maintained for at least one (1) year.
Interview personnel to validate that visitor access processes are completed.
Review documentation to validate the reviews occur on time.
Test process by attempting to gain access to the facility.
CSP Implementation Tips:
AWS: Fully inherited
Azure: Fully inherited
GCP: Fully inherited
Page updated
Report abuse