Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/PE/High

From FISMApedia
Jump to: navigation, search

NIST SP 800-53Ar1 Assessment Procedure Catalog, with SP 800-53r3 Security Controls


PHYSICAL AND ENVIRONMENTAL PROTECTION

PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-1 Physical and Environmental Protection Policy and Procedures P1 LOW PE-1 MOD PE-1 HIGH PE-1


SECURITY CONTROL

PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES

Control: The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:
a. A formal, documented physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b. Formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls.
Supplemental Guidance: This control is intended to produce the policy and procedures that are required for the effective implementation of selected security controls and control enhancements in the physical and environmental protection family. The policy and procedures are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The physical and environmental protection policy can be included as part of the general information security policy for the organization. Physical and environmental protection procedures can be developed for the security program in general and for a particular information system, when required. The organizational risk management strategy is a key factor in the development of the physical and environmental protection policy. Related control: PM-9.
Control Enhancements: None.


ASSESSMENT PROCEDURE
PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PE-1.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization develops and formally documents physical and environmental protection policy;
(ii) the organization physical and environmental protection policy addresses:
(iii) the organization disseminates formal documented physical and environmental protection policy to elements within the organization having associated physical and environmental protection roles and responsibilities;
(iv) the organization develops and formally documents physical and environmental protection procedures;
(v) the organization physical and environmental protection procedures facilitate implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
(vi) the organization disseminates formal documented physical and environmental protection procedures to elements within the organization having associated physical and environmental protection roles and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities].
PE-1.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency of physical and environmental protection policy reviews/updates;
(ii) the organization reviews/updates physical and environmental protection policy in accordance with organization-defined frequency; and
(iii) the organization defines the frequency of physical and environmental protection procedure reviews/updates;
(iv) the organization reviews/updates physical and environmental protection procedures in accordance with organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy and procedures; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities].


PE-2 PHYSICAL ACCESS AUTHORIZATIONS


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-2 Physical Access Authorizations P1 LOW PE-2 MOD PE-2 HIGH PE-2


SECURITY CONTROL

PE-2 PHYSICAL ACCESS AUTHORIZATIONS

Control: The organization:
a. Develops and keeps current a list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible);
b. Issues authorization credentials;
c. Reviews and approves the access list and authorization credentials [Assignment: organization-defined frequency], removing from the access list personnel no longer requiring access.
Supplemental Guidance: Authorization credentials include, for example, badges, identification cards, and smart cards. Related control: PE-3, PE-4.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-2 PHYSICAL ACCESS AUTHORIZATIONS
PE-2.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization identifies areas within the facility that are publicly accessible;
(ii) the organization develops and keeps current lists of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); and
(iii) the organization issues authorization credentials (e.g., badges, identification cards, smart cards).
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; authorization credentials; list of areas that are publicly accessible; other relevant documents or records].


PE-2.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency for review and approval of the physical access list and authorization credentials for the facility;
(ii) organization reviews and approves the access list and authorization credentials in accordance with the organization-defined frequency; and
(iii) the organization removes from the access list personnel no longer requiring access.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; security plan; authorized personnel access list; authorization credentials; other relevant documents or records].


PE-3 PHYSICAL ACCESS CONTROL


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-3 Physical Access Control P1 LOW PE-3 MOD PE-3 HIGH PE-3 (1)


SECURITY CONTROL

PE-3 PHYSICAL ACCESS CONTROL

Control: The organization:
a. Enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible);
b. Verifies individual access authorizations before granting access to the facility;
c. Controls entry to the facility containing the information system using physical access devices and/or guards;
d. Controls access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk;
e. Secures keys, combinations, and other physical access devices;
f. Inventories physical access devices [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Supplemental Guidance: The organization determines the types of guards needed, for example, professional physical security staff or other personnel such as administrative staff or information system users, as deemed appropriate. Physical access devices include, for example, keys, locks, combinations, and card readers. Workstations and associated peripherals connected to (and part of) an organizational information system may be located in areas designated as publicly accessible with access to such devices being safeguarded. Related controls: MP-2, MP-4, PE-2.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-3 PHYSICAL ACCESS CONTROL
PE-3.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible);
(ii) the organization verifies individual access authorizations before granting access to the facility;
(iii) the organization controls entry to the facility containing the information system using physical access devices (e.g., keys, locks, combinations, card readers) and/or guards;
(iv) the organization controls access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk; and
(v) the organization secures keys, combinations, and other physical access devices.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system entry and exit points; storage locations for physical access devices; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical access control responsibilities].
Test: [SELECT FROM: Physical access control capability; physical access control devices].
PE-3.2 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the frequency for conducting inventories of physical access devices;
(ii) the organization inventories physical access devices in accordance with the organization-defined frequency;
(iii) the organization defines the frequency of changes to combinations and keys; and
(iv) the organization changes combinations and keys in accordance with the organization-defined frequency, and when keys are lost, combinations are compromised, or individuals are transferred or terminated.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; security plan; physical access control logs or records; inventory records of physical access devices; records of key and lock combination changes; storage locations for physical access devices; other relevant documents or records].


Test: [SELECT FROM: Physical access control devices].


SECURITY CONTROL ENHANCEMENT
(1) The organization enforces physical access authorizations to the information system independent of the physical access controls for the facility.
Enhancement Supplemental Guidance: This control enhancement applies to server rooms, media storage areas, communications centers, or any other areas within an organizational facility containing large concentrations of information system components. The intent is to provide additional physical security for those areas where the organization may be more vulnerable due to the concentration of information system components. Security requirements for facilities containing organizational information systems that process, store, or transmit Sensitive Compartmented Information (SCI) are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. See also PS-3, security requirements for personnel access to SCI.


PE-3(1) PHYSICAL ACCESS CONTROL
PE-3(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization enforces physical access authorizations to the information system independent of the physical access controls for the facility.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; information system entry and exit points; list of areas within the facility containing high concentrations of information system components or information system components requiring additional physical protection; other relevant documents or records].



PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-4 Access Control for Transmission Medium P1 LOW Not Selected MOD PE-4 HIGH PE-4


SECURITY CONTROL

PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM

Control: The organization controls physical access to information system distribution and transmission lines within organizational facilities.
Supplemental Guidance: Physical protections applied to information system distribution and transmission lines help prevent accidental damage, disruption, and physical tampering. Additionally, physical protections are necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Protective measures to control physical access to information system distribution and transmission lines include: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related control: PE-2.
Control Enhancements: None.


ASSESSMENT PROCEDURE
PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM
PE-4.1 ASSESSMENT OBJECTIVE:
Determine if the organization controls physical access to information system distribution and transmission lines within organizational facilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for transmission medium; information system design documentation; facility communications and wiring diagrams; other relevant documents or records].



PE-5 ACCESS CONTROL FOR OUTPUT DEVICES


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-5 Access Control for Output Devices P1 LOW Not Selected MOD PE-5 HIGH PE-5


SECURITY CONTROL

PE-5 ACCESS CONTROL FOR OUTPUT DEVICES

Control: The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
Supplemental Guidance: Monitors, printers, and audio devices are examples of information system output devices.
Control Enhancements: None.


ASSESSMENT PROCEDURE
PE-5 ACCESS CONTROL FOR OUTPUT DEVICES
PE-5.1 ASSESSMENT OBJECTIVE:
Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for display medium; facility layout of information system components; actual displays from information system components; other relevant documents or records].



PE-6 MONITORING PHYSICAL ACCESS


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-6 Monitoring Physical Access P1 LOW PE-6 MOD PE-6 (1) HIGH PE-6 (1) (2)


SECURITY CONTROL

PE-6 MONITORING PHYSICAL ACCESS

Control: The organization:
a. Monitors physical access to the information system to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency]; and
c. Coordinates results of reviews and investigations with the organization's incident response capability.
Supplemental Guidance: Investigation of and response to detected physical security incidents, including apparent security violations or suspicious physical access activities, are part of the organization's incident response capability.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-6 MONITORING PHYSICAL ACCESS
PE-6.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization monitors physical access to the information system to detect and respond to physical security incidents;
(ii) the organization defines the frequency to review physical access logs;
(iii) the organization reviews physical access logs in accordance with the organization-defined frequency; and
(iv) the organization coordinates results of reviews and investigations with the organization's incident response capability.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; security plan; physical access logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical access monitoring responsibilities].
Test: [SELECT FROM: Physical access monitoring capability].


SECURITY CONTROL ENHANCEMENT
(1) The organization monitors real-time physical intrusion alarms and surveillance equipment.


PE-6(1) MONITORING PHYSICAL ACCESS
PE-6(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization monitors real-time physical intrusion alarms and surveillance equipment.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; physical intrusion alarm/surveillance equipment logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with physical access monitoring responsibilities].
Test: [SELECT FROM: Physical access monitoring capability].


SECURITY CONTROL ENHANCEMENT
(2) The organization employs automated mechanisms to recognize potential intrusions and initiate designated response actions.


PE-6(2) MONITORING PHYSICAL ACCESS
PE-6(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to recognize potential intrusions and initiate designated response actions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; information system design documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing physical access monitoring capability].


PE-7 VISITOR CONTROL


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-7 Visitor Control P1 LOW PE-7 MOD PE-7 (1) HIGH PE-7 (1)


SECURITY CONTROL

PE-7 VISITOR CONTROL

Control: The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.
Supplemental Guidance: Individuals (to include organizational employees, contract personnel, and others) with permanent authorization credentials for the facility are not considered visitors.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-7 VISITOR CONTROL
PE-7.1 ASSESSMENT OBJECTIVE:
Determine if the organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities].
Test: [SELECT FROM: Visitor access control capability].


SECURITY CONTROL ENHANCEMENT
(1) The organization escorts visitors and monitors visitor activity, when required.


PE-7(1) VISITOR CONTROL
PE-7(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization escorts visitors and monitors visitor activity, when required.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access control; visitor access control logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with visitor access control responsibilities].


PE-8 ACCESS RECORDS


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-8 Access Records P3 LOW PE-8 MOD PE-8 HIGH PE-8 (1) (2)


SECURITY CONTROL

PE-8 ACCESS RECORDS

Control: The organization:
a. Maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); and
b. Reviews visitor access records [Assignment: organization-defined frequency].
Supplemental Guidance: Visitor access records include, for example, name/organization of the person visiting, signature of the visitor, form(s) of identification, date of access, time of entry and departure, purpose of visit, and name/organization of person visited.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-8 ACCESS RECORDS
PE-8.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible);
(ii) the organization defines the frequency to review visitor access records;
(iii) the organization reviews the visitor access records in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; security plan; facility access control records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing physical access records].



SECURITY CONTROL ENHANCEMENT
(1) The organization employs automated mechanisms to facilitate the maintenance and review of access records.


PE-8(1) ACCESS RECORDS
PE-8(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs automated mechanisms to facilitate the maintenance and review of access records.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; automated mechanisms supporting management of access records; facility access control logs or records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for reviewing physical access records].


SECURITY CONTROL ENHANCEMENT
(2) The organization maintains a record of all physical access, both visitor and authorized individuals.


PE-8(2) ACCESS RECORDS
PE-8(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization maintains a record of all physical access, both visitor and authorized individuals.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing facility access records; facility access control logs or records; other relevant documents or records].



PE-9 POWER EQUIPMENT AND POWER CABLING


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-9 Power Equipment and Power Cabling P1 LOW Not Selected MOD PE-9 HIGH PE-9


SECURITY CONTROL

PE-9 POWER EQUIPMENT AND POWER CABLING

Control: The organization protects power equipment and power cabling for the information system from damage and destruction.
Supplemental Guidance: This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Organizations avoid duplicating actions already covered.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-9 POWER EQUIPMENT AND POWER CABLING
PE-9.1 ASSESSMENT OBJECTIVE:
Determine if the organization protects power equipment and power cabling for the information system from damage and destruction.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power equipment and cabling protection; facility housing power equipment and cabling; other relevant documents or records].



PE-10 EMERGENCY SHUTOFF


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-10 Emergency Shutoff P1 LOW Not Selected MOD PE-10 HIGH PE-10


SECURITY CONTROL

PE-10 EMERGENCY SHUTOFF

Control: The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation.
Supplemental Guidance: This control applies to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-10 EMERGENCY SHUTOFF
PE-10.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization provides the capability of shutting off power to the information system or individual system components in emergency situations;
(ii) the organization defines the location of emergency shutoff switches or devices by information system or system component;
(iii) the organization places emergency shutoff switches or devices in an organization-defined location by information system or system component to facilitate safe and easy access for personnel; and
(iv) the organization protects the emergency power shutoff capability from unauthorized activation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing power source emergency shutoff; security plan; emergency shutoff controls or switches; other relevant documents or records].



PE-10(1) EMERGENCY SHUTOFF

[Withdrawn: Incorporated into PE-10].

PE-10(1).1 ASSESSMENT OBJECTIVE:
[Withdrawn: Incorporated into PE-10].
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
[Withdrawn: Incorporated into PE-10].


PE-11 EMERGENCY POWER


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-11 Emergency Power P1 LOW Not Selected MOD PE-11 HIGH PE-11 (1)


SECURITY CONTROL

PE-11 EMERGENCY POWER

Control: The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.
Supplemental Guidance: This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Organizations avoid duplicating actions already covered.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-11 EMERGENCY POWER
PE-11.1 ASSESSMENT OBJECTIVE:
Determine if the organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; uninterruptible power supply documentation; uninterruptible power supply test records; other relevant documents or records].
Test: [SELECT FROM: Uninterruptible power supply].


SECURITY CONTROL ENHANCEMENT
(1) The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.


PE-11(1) EMERGENCY POWER
PE-11(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; alternate power supply documentation; alternate power test records; other relevant documents or records].
Test: [SELECT FROM: Alternate power supply].


PE-12 EMERGENCY LIGHTING


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-12 Emergency Lighting P1 LOW PE-12 MOD PE-12 HIGH PE-12


SECURITY CONTROL

PE-12 EMERGENCY LIGHTING

Control: The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
Supplemental Guidance: This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Organizations avoid duplicating actions already covered.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-12 EMERGENCY LIGHTING
PE-12.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization employs automatic emergency lighting for the information system that activates in the event of a power outage or disruption;
(ii) the organization employs automatic emergency lighting for the information system that covers emergency exits and evacuation routes within the facility; and
(iii) the organization maintains the automatic emergency lighting for the information system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency lighting; emergency lighting documentation; emergency lighting test records; emergency exits and evacuation routes; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with emergency planning responsibilities].
Test: [SELECT FROM: Emergency lighting capability].


PE-13 FIRE PROTECTION


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-13 Fire Protection P1 LOW PE-13 MOD PE-13 (1) (2) (3) HIGH PE-13 (1) (2) (3)


SECURITY CONTROL

PE-13 FIRE PROTECTION

Control: The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
Supplemental Guidance: Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors. This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Organizations avoid duplicating actions already covered.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-13 FIRE PROTECTION
PE-13.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization employs fire suppression and detection devices/systems for the information system that are supported by an independent energy source; and
(ii) the organization maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; test records of fire suppression and detection devices/systems; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].



SECURITY CONTROL ENHANCEMENT
(1) The organization employs fire detection devices/systems for the information system that activate automatically and notify the organization and emergency responders in the event of a fire.


PE-13(1) FIRE PROTECTION
PE-13(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs fire detection devices/systems for the information system that, without manual intervention, activate automatically and notify the organization and emergency responders in the event of a fire.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the information system; alarm service level agreements; test records of fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].
Test: [SELECT FROM: Simulated activation of fire detection devices/systems and automated notifications].


SECURITY CONTROL ENHANCEMENT
(2) The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders.


PE-13(2) FIRE PROTECTION
PE-13(2).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems documentation; facility housing the information system; alarm service level agreements; test records of fire suppression and detection devices/systems; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].
Test: [SELECT FROM: Simulated activation of fire suppression devices/systems and automated notifications].


SECURITY CONTROL ENHANCEMENT
(3) The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.


PE-13(3) FIRE PROTECTION
PE-13(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the information system; alarm service level agreements; facility staffing plans; test records of fire suppression and detection devices/systems; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems].
Test: [SELECT FROM: Simulated activation of fire suppression devices/systems].


PE-14 TEMPERATURE AND HUMIDITY CONTROLS


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-14 Temperature and Humidity Controls P1 LOW PE-14 MOD PE-14 HIGH PE-14


SECURITY CONTROL

PE-14 TEMPERATURE AND HUMIDITY CONTROLS

Control: The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency].
Supplemental Guidance: This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Organizations avoid duplicating actions already covered.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-14 TEMPERATURE AND HUMIDITY CONTROLS
PE-14.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the acceptable temperature and humidity levels within the facility where the information system resides;
(ii) the organization maintains temperature and humidity levels within the facility where the information system resides in accordance with organization-defined acceptable levels;
(iii) the organization defines the frequency to monitor temperature and humidity levels; and
(iv) the organization monitors the temperature and humidity levels within the facility where the information system resides in accordance with the organization-defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity control; security plan; temperature and humidity controls; facility housing the information system; temperature and humidity controls documentation; temperature and humidity records; other relevant documents or records].



PE-15 WATER DAMAGE PROTECTION


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-15 Water Damage Protection P1 LOW PE-15 MOD PE-15 HIGH PE-15 (1)


SECURITY CONTROL

PE-15 WATER DAMAGE PROTECTION

Control: The organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel.
Supplemental Guidance: This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Organizations avoid duplicating actions already covered.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-15 WATER DAMAGE PROTECTION
PE-15.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible and working properly; and
(ii) key personnel within the organization have knowledge of the master water shutoff valves.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the information system; master shutoff valves; list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system; master shutoff valve documentation; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with physical and environmental protection responsibilities].
Test: [SELECT FROM: Master water-shutoff valves; process for activating master water-shutoff].


SECURITY CONTROL ENHANCEMENT
(1) The organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a water leak.


PE-15(1) WATER DAMAGE PROTECTION
PE-15(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a water leak.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the information system; automated mechanisms for water shutoff valves; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing master water shutoff valve activation].


PE-16 DELIVERY AND REMOVAL


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-16 Delivery and Removal P1 LOW PE-16 MOD PE-16 HIGH PE-16


SECURITY CONTROL

PE-16 DELIVERY AND REMOVAL

Control: The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items.
Supplemental Guidance: Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.
Control Enhancements: None.


ASSESSMENT PROCEDURE
PE-16 DELIVERY AND REMOVAL
PE-16.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the types of information system components to be authorized, monitored, and controlled as such components are entering or exiting the facility;
(ii) the organization authorizes, monitors, and controls organization-defined information system components entering and exiting the facility; and
(iii) the organization maintains records of information system components entering and exiting the facility.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing delivery and removal of information system components from the facility; security plan; facility housing the information system; records of items entering and exiting the facility; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with responsibilities for controlling information system components entering and exiting the facility].
Test: [SELECT FROM: Process for controlling information system-related items entering and exiting the facility].


PE-17 ALTERNATE WORK SITE


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-17 Alternate Work Site P1 LOW Not Selected MOD PE-17 HIGH PE-17


SECURITY CONTROL

PE-17 ALTERNATE WORK SITE

Control: The organization:
a. Employs [Assignment: organization-defined management, operational, and technical information system security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
Supplemental Guidance: Alternate work sites may include, for example, government facilities or private residences of employees. The organization may define different sets of security controls for specific alternate work sites or types of sites.
Control Enhancements: None.


ASSESSMENT PROCEDURE
PE-17 ALTERNATE WORK SITE
PE-17.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization defines the management, operational, and technical information system security controls to be employed at alternate work sites;
(ii) the organization employs organization-defined management, operational, and technical information system security controls at alternate work sites;
(iii) the organization assesses, as feasible, the effectiveness of security controls at alternate work sites; and
(iv) the organization provides a means for employees to communicate with information security personnel in case of security incidents or problems.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing alternate work sites for organizational personnel; security plan; list of management, operational, and technical security controls required for alternate work sites; assessments of security controls at alternate work sites; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel using alternate work sites].



PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS


FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION CLASS: OPERATIONAL


Security Control Baseline:
PE-18 Location of Information System Components P2 LOW Not Selected MOD PE-18 HIGH PE-18 (1)


SECURITY CONTROL

PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS

Control: The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.
Supplemental Guidance: Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and electromagnetic radiation. Whenever possible, the organization also considers the location or site of the facility with regard to physical and environmental hazards. In addition, the organization considers the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to the information system and therefore, increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Organizations avoid duplicating actions already covered.
Control Enhancements:


ASSESSMENT PROCEDURE
PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS
PE-18.1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization positions information system components within the facility to minimize potential damage from physical and environmental hazards; and
(ii) the organization positions information system components within the facility to minimize the opportunity for unauthorized access.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing positioning of information system components; documentation providing the location and position of information system components within the facility; other relevant documents or records].



SECURITY CONTROL ENHANCEMENT
(1) The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy.


PE-18(1) LOCATION OF INFORMATION SYSTEM COMPONENTS
PE-18(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i) the organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards; and
(ii) the organization, for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: Physical and environmental protection policy; physical site planning documents; organizational assessment of risk, contingency plan; other relevant documents or records].
Interview: [SELECT FROM: Organization personnel with site selection responsibilities for the facility housing the information system].


Source