Develop, document, and disseminate to organization-defined personnel or roles:
one or more,Organization-level,Mission/business process-level,System-level physical and environmental protection policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;
Designate an organization-defined official to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and
Review and update the current physical and environmental protection:
Policy organization-defined frequency and following organization-defined events; and
Procedures organization-defined frequency and following organization-defined events.
Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;
Issue authorization credentials for facility access;
Review the access list detailing authorized facility access by individuals organization-defined frequency; and
Remove individuals from the facility access list when access is no longer required.
Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.
Enforce physical access authorizations at organization-defined entry and exit points to the facility where the system resides by:
Verifying individual access authorizations before granting access to the facility; and
Controlling ingress and egress to the facility using one or more, organization-defined physical access control systems or devices ,guards;
Maintain physical access audit logs for organization-defined entry or exit points;
Control access to areas within the facility designated as publicly accessible by implementing the following controls: organization-defined physical access controls;
Escort visitors and control visitor activity organization-defined circumstances requiring visitor escorts and control of visitor activity;
Secure keys, combinations, and other physical access devices;
Inventory organization-defined physical access devices every organization-defined frequency; and
Change combinations and keys organization-defined frequency and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;
Review physical access logs organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and
Coordinate results of reviews and investigations with the organizational incident response capability.
Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as #au-2(#au-2), if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.
Maintain visitor access records to the facility where the system resides for organization-defined time period;
Review visitor access records organization-defined frequency; and
Report anomalies in visitor access records to organization-defined personnel.
Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.
Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.
Employ and maintain fire detection and suppression systems that are supported by an independent energy source.
The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.
Maintain one or more,temperature,humidity,pressure,radiation, organization-defined environmental control levels within the facility where the system resides at organization-defined acceptable levels; and
Monitor environmental control levels organization-defined frequency.
The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.
Authorize and control organization-defined types of system components entering and exiting the facility; and
Maintain records of the system components.
Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.