Develop, document, and disseminate to organization-defined personnel or roles:
one or more,Organization-level,Mission/business process-level,System-level physical and environmental protection policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;
Designate an organization-defined official to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and
Review and update the current physical and environmental protection:
Policy organization-defined frequency and following organization-defined events; and
Procedures organization-defined frequency and following organization-defined events.
Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;
Issue authorization credentials for facility access;
Review the access list detailing authorized facility access by individuals organization-defined frequency; and
Remove individuals from the facility access list when access is no longer required.
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.
Enforce physical access authorizations at organization-defined entry and exit points to the facility where the system resides by:
Verifying individual access authorizations before granting access to the facility; and
Controlling ingress and egress to the facility using one or more, organization-defined physical access control systems or devices ,guards;
Maintain physical access audit logs for organization-defined entry or exit points;
Control access to areas within the facility designated as publicly accessible by implementing the following controls: organization-defined physical access controls;
Escort visitors and control visitor activity organization-defined circumstances requiring visitor escorts and control of visitor activity;
Secure keys, combinations, and other physical access devices;
Inventory organization-defined physical access devices every organization-defined frequency; and
Change combinations and keys organization-defined frequency and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
Control physical access to organization-defined system distribution and transmission lines within organizational facilities using organization-defined security controls.
Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors.
Control physical access to output from organization-defined output devices to prevent unauthorized individuals from obtaining the output.
Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.
Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;
Review physical access logs organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and
Coordinate results of reviews and investigations with the organizational incident response capability.
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as #au-2(#au-2), if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.
Maintain visitor access records to the facility where the system resides for organization-defined time period;
Review visitor access records organization-defined frequency; and
Report anomalies in visitor access records to organization-defined personnel.
Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.
Protect power equipment and power cabling for the system from damage and destruction.
Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems.
Provide the capability of shutting off power to organization-defined system or individual system components in emergency situations;
Place emergency shutoff switches or devices in organization-defined location by system or system component to facilitate access for authorized personnel; and
Protect emergency power shutoff capability from unauthorized activation.
Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.
Provide an uninterruptible power supply to facilitate one or more,an orderly shutdown of the system,transition of the system to long-term alternate power in the event of a primary power source loss.
An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system.
Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.
Employ and maintain fire detection and suppression systems that are supported by an independent energy source.
The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.
Maintain one or more,temperature,humidity,pressure,radiation, organization-defined environmental control levels within the facility where the system resides at organization-defined acceptable levels; and
Monitor environmental control levels organization-defined frequency.
The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.
Authorize and control organization-defined types of system components entering and exiting the facility; and
Maintain records of the system components.
Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.
Determine and document the organization-defined alternate work sites allowed for use by employees;
Employ the following controls at alternate work sites: organization-defined controls;
Assess the effectiveness of controls at alternate work sites; and
Provide a means for employees to communicate with information security and privacy personnel in case of incidents.
Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.
Position system components within the facility to minimize potential damage from organization-defined physical and environmental hazards and to minimize the opportunity for unauthorized access.
Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information.
Protect the system from information leakage due to electromagnetic signals emanations.
Information leakage is the intentional or unintentional release of data or information to an untrusted environment from electromagnetic signals emanations. The security categories or classifications of systems (with respect to confidentiality), organizational security policies, and risk tolerance guide the selection of controls employed to protect systems against information leakage due to electromagnetic signals emanations.
Employ organization-defined asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.
Asset location technologies can help ensure that critical assets?including vehicles, equipment, and system components?remain in authorized locations. Organizations consult with the Office of the General Counsel and senior agency official for privacy regarding the deployment and use of asset location technologies to address potential privacy concerns.
Employ organization-defined protective measures against electromagnetic pulse damage for organization-defined systems and system components.
An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a range of frequencies. Such energy bursts may be natural or man-made. EMP interference may be disruptive or damaging to electronic equipment. Protective measures used to mitigate EMP risk include shielding, surge suppressors, ferro-resonant transformers, and earth grounding. EMP protection may be especially significant for systems and applications that are part of the U.S. critical infrastructure.
Mark organization-defined system hardware components indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.
Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devices are addressed in #ac-3(#ac-3) or #ac-4(#ac-4). Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output. Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable. Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.
Plan the location or site of the facility where the system resides considering physical and environmental hazards; and
For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy.
Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. The location of system components within the facility is addressed in #pe-18(#pe-18).