Information resource owners with responsibility over infrastructure equipment shall: a. Establish a policy identifying positions or roles with authorized access to the facility where the information resource resides; b. Develop, approve, and maintain, in a system of record as determined by the chief information security officer, a list of individuals based on the identified positions or roles with authorized access to the facility where the information resource resides; c. Issue authorization credentials for facility access; d. Review the access list detailing authorized facility access by individuals at least annually; e. Remove individuals from the facility access list when access is no longer required; and f. Restrict unescorted access to the facility where the information resource resides to personnel with a formal access authorization for all information contained within the resources in the facility.
Unauthorized parties gain physical access to facilities due to insufficient physical entry controls.
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required.
Only accepted personnel may enter secured areas.
The state organization develops and keeps current a list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) and issues appropriate authorization credentials.
Obtain physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; authorization credentials; other relevant documents or records and ascertain if :
(I)the organization identifies areas within the facility that are publicly accessible.
(ii)the organization defines in the security plan, explicitly or by reference, the frequency of review and approval for the physical access list and authorization credentials for the facility and the frequency is at least annually.
(iii)the organization develops and keeps current lists of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible)
(iv)the organization issues appropriate authorization credentials (e.g., badges, identification cards, smart cards).
(v)designated officials within the organization review and approve the access list and authorization credentials in accordance with organization-defined frequency.
