Network Access and Perimeter Controls, Physical and Environmental Protection
LOW, MOD, HIGH
P1
Yes
January 29, 2016
All personnel working within facilities containing infrastructure equipment are responsible for enforcing physical access authorizations. Personnel accomplish this by: a. Verifying individual access authorizations before granting access to the facility; b. Controlling ingress to the facility using key control or other authorization credentials; c. Securing keys, combinations, and other physical access devices; and d. Escorting visitors and monitoring visitor activity at all times while within the facility.
Information resource owners with responsibility over infrastructure equipment shall: a. Maintain physical access audit logs for all facilities containing infrastructure equipment; b. Provide compensating controls such as lockable casings or tamper protection to physically protect information resources within areas designated as publicly accessible; c. Inventory keys and other authorization credentials at least annually; and d. Change combinations at least annually, and change combinations and keys when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Unauthorized parties gain physical access to facilities due to insufficient physical perimeter controls.
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Individuals may access individually secured areas by accepted, distributed electronic badge access.
The state organization controls all physical access points (including designated entry/exit points) to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facility.
Obtain physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; maintenance records; records of key and lock combination changes; storage locations for keys and access devices; FIPS 201; NIST Special Publications 800-73, 800-76, and 800-78; information system design documentation; other relevant documents or records and ascertain if :
(I)the organization controls all physical access points (including designated entry/exit points) to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible)
(ii)the organization verifies individual access authorizations before granting access to the facility.
(iii)the organization also controls access to areas officially designated as publicly accessible, as appropriate, in accordance with the organization’s assessment of risk.
(iv)the organization uses physical access devices (e.g., keys, locks, combinations, card readers) and/or guards to control entry to facilities containing information systems.
(v)the organization secures and regularly inventories keys, combinations, and other access devices.
(vi)the organization changes combinations and keys periodically; and when keys are lost, combinations are compromised, or individuals are transferred or terminated
(vii)the access control system is consistent with FIPS 201 and NIST Special Publication 800-73 (where the federal Personal Identity Verification (PIV) credential is used as an identification token and token-based access control is employed)
(viii)the access control system is consistent with NIST Special Publication 800-78 (where the token-based access control function employs cryptographic verification); and
(ix)the access control system is consistent with NIST Special Publication 800-76 (where the token-based access control function employs biometric verification).