03.10.07: Physical Access Control

Control Familly: Physical Protection

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • N/A

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.10.07

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • PE-03

  • PE-05

a. Enforce physical access authorizations at entry and exit points to the facility where the system resides by:

1. Verifying individual physical access authorizations before granting access to the facility and

2. Controlling ingress and egress with physical access control systems, devices, or guards.

b. Maintain physical access audit logs for entry or exit points.

c. Escort visitors, and control visitor activity.

d. Secure keys, combinations, and other physical access devices.

e. Control physical access to output devices to prevent unauthorized individuals from obtaining access to CUI.

Discussion:

This requirement addresses physical locations containing systems or system components that process, store, or transmit CUI. Organizations determine the types of guards needed, including professional security staff or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include exterior access points, interior access points to systems that require supplemental access controls, or both. Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors.

Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and only allowing access to authorized individuals, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, facsimile machines, audio devices, and copiers.

Assessment Methods and Objectives

Examine [SELECT FROM: physical protection policy and procedures; procedures for physical access control; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with physical access control responsibilities; personnel with information security responsibilities]

Test [SELECT FROM: processes for physical access control; mechanisms for supporting or implementing physical access control; physical access control devices]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.10.07.a.01: physical access authorizations are enforced at entry and exit points to the facility where the system resides by verifying individual physical access authorizations before granting access.

A.03.10.07.a.02: physical access authorizations are enforced at entry and exit points to the facility where the system resides by controlling ingress and egress with physical access control systems, devices, or guards.

A.03.10.07.b: physical access audit logs for entry or exit points are maintained.

A.03.10.07.c[01]: visitors are escorted.

A.03.10.07.c[02]: visitor activity is controlled.

A.03.10.07.d: keys, combinations, and other physical access devices are secured.

A.03.10.07.e: physical access to output devices is controlled to prevent unauthorized individuals from obtaining access to CUI.