Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/PE/Moderate

Template:Doc:NIST SP 800-53r3 Appendix F/PE-1

Determine if: (i) the organization develops and formally documents physical and environmental protection policy; (ii) the organization physical and environmental protection policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented physical and environmental protection policy to elements within the organization having associated physical and environmental protection roles and responsibilities; (iv) the organization develops and formally documents physical and environmental protection procedures; (v) the organization physical and environmental protection procedures facilitate implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and (vi) the organization disseminates formal documented physical and environmental protection procedures to elements within the organization having associated physical and environmental protection roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities].

Determine if: (i) the organization defines the frequency of physical and environmental protection policy reviews/updates; (ii) the organization reviews/updates physical and environmental protection policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of physical and environmental protection procedure reviews/updates; (iv) the organization reviews/updates physical and environmental protection procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-2

Determine if: (i) the organization identifies areas within the facility that are publicly accessible; (ii) the organization develops and keeps current lists of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); and (iii) the organization issues authorization credentials (e.g., badges, identification cards, smart cards).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; authorization credentials; list of areas that are publicly accessible; other relevant documents or records].

Determine if: (i) the organization defines the frequency for review and approval of the physical access list and authorization credentials for the facility; (ii) organization reviews and approves the access list and authorization credentials in accordance with the organization-defined frequency; and (iii) the organization removes from the access list personnel no longer requiring access.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-3

Determine if: (i) the organization enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible); (ii) the organization verifies individual access authorizations before granting access to the facility; (iii) the organization controls entry to the facility containing the information system using physical access devices (e.g., keys, locks, combinations, card readers) and/or guards; (iv) the organization controls access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk; and (v) the organization secures keys, combinations, and other physical access devices.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system entry and exit points; storage locations for physical access devices; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with physical access control responsibilities].

Test: [SELECT FROM: Physical access control capability; physical access control devices].

Determine if: (i) the organization defines the frequency for conducting inventories of physical access devices; (ii) the organization inventories physical access devices in accordance with the organization-defined frequency; (iii) the organization defines the frequency of changes to combinations and keys; and (iv) the organization changes combinations and keys in accordance with the organization-defined frequency, and when keys are lost, combinations are compromised, or individuals are transferred or terminated.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; security plan; physical access control logs or records; inventory records of physical access devices; records of key and lock combination changes; storage locations for physical access devices; other relevant documents or records].

Test: [SELECT FROM: Physical access control devices].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-3/1

Determine if the organization enforces physical access authorizations to the information system independent of the physical access controls for the facility.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system entry and exit points; list of areas within the facility containing high concentrations of information system components or information system components requiring additional physical protection; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-4

Determine if the organization controls physical access to information system distribution and transmission lines within organizational facilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for transmission medium; information system design documentation; facility communications and wiring diagrams; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-5

Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for display medium; facility layout of information system components; actual displays from information system components; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-6

Determine if: (i) the organization monitors physical access to the information system to detect and respond to physical security incidents; (ii) the organization defines the frequency to review physical access logs; (iii) the organization reviews physical access logs in accordance with the organization-defined frequency; and (iv) the organization coordinates results of reviews and investigations with the organization's incident response capability.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; security plan; physical access logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with physical access monitoring responsibilities].

Test: [SELECT FROM: Physical access monitoring capability].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-6/1

Determine if the organization monitors real-time physical intrusion alarms and surveillance equipment.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; physical intrusion alarm/surveillance equipment logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with physical access monitoring responsibilities].

Test: [SELECT FROM: Physical access monitoring capability].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-7

Determine if the organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities].

Test: [SELECT FROM: Visitor access control capability].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-7/1

Determine if the organization escorts visitors and monitors visitor activity, when required.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-8

Determine if: (i) the organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); (ii) the organization defines the frequency to review visitor access records; (iii) the organization reviews the visitor access records in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; security plan; facility access control records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing physical access records].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-9

Determine if the organization protects power equipment and power cabling for the information system from damage and destruction.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power equipment and cabling protection; facility housing power equipment and cabling; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-10

Determine if: (i) the organization provides the capability of shutting off power to the information system or individual system components in emergency situations; (ii) the organization defines the location of emergency shutoff switches or devices by information system or system component; (iii) the organization places emergency shutoff switches or devices in an organization-defined location by information system or system component to facilitate safe and easy access for personnel; and (iv) the organization protects the emergency power shutoff capability from unauthorized activation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power source emergency shutoff; security plan; emergency shutoff controls or switches; other relevant documents or records].

[Withdrawn: Incorporated into PE-10].

[Withdrawn: Incorporated into PE-10].

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

[Withdrawn: Incorporated into PE-10].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-11

Determine if the organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; uninterruptible power supply documentation; uninterruptible power supply test records; other relevant documents or records].

Test: [SELECT FROM: Uninterruptible power supply].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-12

Determine if: (i) the organization employs automatic emergency lighting for the information system that activates in the event of a power outage or disruption; (ii) the organization employs automatic emergency lighting for the information system that covers emergency exits and evacuation routes within the facility; and (iii) the organization maintains the automatic emergency lighting for the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency lighting; emergency lighting documentation; emergency lighting test records; emergency exits and evacuation routes; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with emergency planning responsibilities].

Test: [SELECT FROM: Emergency lighting capability].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-13

Determine if: (i) the organization employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and (ii) the organization maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; test records of fire suppression and detection devices/systems; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-13/1

Determine if the organization employs fire detection devices/systems for the information system that, without manual intervention, activate automatically and notify the organization and emergency responders in the event of a fire.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the information system; alarm service level agreements; test records of fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].

Test: [SELECT FROM: Simulated activation of fire detection devices/systems and automated notifications].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-13/2

Determine if the organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems documentation; facility housing the information system; alarm service level agreements; test records of fire suppression and detection devices/systems; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].

Test: [SELECT FROM: Simulated activation of fire suppression devices/systems and automated notifications].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-13/3

Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the information system; alarm service level agreements; facility staffing plans; test records of fire suppression and detection devices/systems; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].

Test: [SELECT FROM: Simulated activation of fire suppression devices/systems].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-14

Determine if: (i) the organization defines the acceptable temperature and humidity levels within the facility where the information system resides; (ii) the organization maintains temperature and humidity levels within the facility where the information system resides in accordance with organization-defined acceptable levels; (iii) the organization defines the frequency to monitor temperature and humidity levels; and (iv) the organization monitors the temperature and humidity levels within the facility where the information system resides in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity control; security plan; temperature and humidity controls; facility housing the information system; temperature and humidity controls documentation; temperature and humidity records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-15

Determine if: (i) the organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible and working properly; and (ii) key personnel within the organization have knowledge of the master water shutoff valves.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the information system; master shutoff valves; list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system; master shutoff valve documentation; other relevant documents or records].

Interview: [SELECT FROM: Organization personnel with physical and environmental protection responsibilities].

Test: [SELECT FROM: Master water-shutoff valves; process for activating master water-shutoff].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-16

Determine if: (i) the organization defines the types of information system components to be authorized, monitored, and controlled as such components are entering or exiting the facility; (ii) the organization authorizes, monitors, and controls organization-defined information system components entering and exiting the facility; and (iii) the organization maintains records of information system components entering and exiting the facility.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing delivery and removal of information system components from the facility; security plan; facility housing the information system; records of items entering and exiting the facility; other relevant documents or records].

Interview: [SELECT FROM: Organization personnel with responsibilities for controlling information system components entering and exiting the facility].

Test: [SELECT FROM: Process for controlling information system-related items entering and exiting the facility].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-17

Determine if: (i) the organization defines the management, operational, and technical information system security controls to be employed at alternate work sites; (ii) the organization employs organization-defined management, operational, and technical information system security controls at alternate work sites; (iii) the organization assesses, as feasible, the effectiveness of security controls at alternate work sites; and (iv) the organization provides a means for employees to communicate with information security personnel in case of security incidents or problems.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing alternate work sites for organizational personnel; security plan; list of management, operational, and technical security controls required for alternate work sites; assessments of security controls at alternate work sites; other relevant documents or records].

Interview: [SELECT FROM: Organization personnel using alternate work sites].

Template:Doc:NIST SP 800-53r3 Appendix F/PE-18

Determine if: (i) the organization positions information system components within the facility to minimize potential damage from physical and environmental hazards; and (ii) the organization positions information system components within the facility to minimize the opportunity for unauthorized access.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing positioning of information system components; documentation providing the location and position of information system components within the facility; other relevant documents or records].