03.10.01: Physical Access Authorizations
Control Familly: Physical Protection
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
N/A
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.10.01
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
PE-02
a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides.
b. Issue authorization credentials for facility access.
c. Review the facility access list [Assignment: organization-defined frequency].
d. Remove individuals from the facility access list when access is no longer required.
Discussion:
A facility can include one or more physical locations containing systems or system components that process, store, or transmit CUI. Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include identification badges, identification cards, and smart cards. Organizations determine the strength of the authorization credentials consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.
Assessment Methods and Objectives
Examine [SELECT FROM: physical protection policy and procedures; procedures for physical access authorizations; authorized personnel access list; physical access list reviews; physical access termination records; authorization credentials; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with physical access authorization responsibilities; personnel with physical access to the facility where the system resides; personnel with information security responsibilities]
Test [SELECT FROM: processes for physical access authorizations; mechanisms for supporting or implementing physical access authorizations]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.10.01.ODP[01]: the frequency at which to review the access list detailing authorized facility access by individuals is defined.
A.03.10.01.a[01]: a list of individuals with authorized access to the facility where the system resides is developed.
A.03.10.01.a[02]: a list of individuals with authorized access to the facility where the system resides is approved.
A.03.10.01.a[03]: a list of individuals with authorized access to the facility where the system resides is maintained.
A.03.10.01.b: authorization credentials for facility access are issued.
A.03.10.01.c: the facility access list is reviewed <A.03.10.01.ODP[01]: frequency>.
A.03.10.01.d: individuals from the facility access list are removed when access is no longer required.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A