NIST 800-171 - Physical Access Authorization (3.10.1)

Overview:
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

Action Items:
3.10.1[a]
Determine if: authorized individuals allowed physical access are identified.

3.10.1[b]
Determine if: physical access to organizational systems is limited to authorized individuals.

3.10.1[c]
Determine if: physical access to equipment is limited to authorized individuals.

3.10.1[d]
Determine if: physical access to operating environments is limited to authorized individuals.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Physical and environmental protection policy; procedures addressing physical access authorizations; system security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records].

2
Interview: Personnel with physical access authorization responsibilities; personnel with physical access to system facility; personnel with information security responsibilities].

3
Test: Organizational processes for physical access authorizations; mechanisms supporting or implementing physical access authorizations].

Related Documents (document name and content will vary by organization):
1) Physical and environmental protection policy
2) procedures addressing physical access authorizations
3) system security plan
4) authorized personnel access list
5) authorization credentials
6) physical access list reviews
7) physical access termination records and associated documentation
8) other relevant documents or records

Additional Guidance:
This requirement applies to organizational employees, individuals with permanent physical access authorization credentials, and visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, directives, policies, regulations, standards, procedures, and guidelines. This requirement applies only to areas within facilities that have not been designated as publicly accessible.

Limiting physical access to equipment may include, for example, placing equipment in locked rooms or other secured areas and allowing access to authorized individuals only, and placing equipment in locations that can be monitored by organizational personnel. Computing devices, external hard disk drives, networking devices, monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of equipment.