Skip to Content

NIST 800-171 - Visitor Escorts (3.10.3)

182  Matthew Burdick September 26, 2022  Physical Protection
Overview:

Escort visitors and monitor visitor activity.

Action Items:

3.10.3[a]
Determine if: visitors are escorted.

3.10.3[b]
Determine if: visitor activity is monitored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Physical and environmental protection policy; procedures addressing physical access control; system security plan; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; other relevant documents or records].

2
Interview: Personnel with physical access control responsibilities; personnel with information security responsibilities].

3
Test: Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices].

Related Documents (document name and content will vary by organization):

1) Physical and environmental protection policy
2) procedures addressing physical access control
3) system security plan
4) physical access control logs or records
5) inventory records of physical access control devices
6) system entry and exit points
7) records of key and lock combination changes
8) storage locations for physical access control devices
9) physical access control devices
10) list of security safeguards controlling access to designated publicly accessible areas within facility
11) other relevant documents or records

Additional Guidance:

This requirement applies to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional security staff or administrative staff or system users. Physical access control systems comply with applicable laws, Executive Orders, directives, policies, regulations, and standards. Audit logs can be used to monitor visitor activity.

 
Not Rated
Secure Code