physical and environmental protection plan · web viewdod regulation 5200.08-r, "physical...

FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN

{COMMAND}

{SYSTEM NAME} {ACRONYM}System Version: {VERSION}

eMASS# {EMASS#}

Confidentiality: {CONFIDENTIALITY}Integrity: {INTEGRITY}

Availability: {AVAILABILITY}

Department of the {SERVICE}

{LOGO}

Physical and Environmental Protection Plan

Document Version: 1.0.0

{DATE}

Prepared by: {ORGANIZATION}

DISTRIBUTION IS LIMITED TO U.S. GOVERNMENT AGENCIES AND THEIR CONTRACTORS.OTHER REQUESTS FOR THIS DOCUMENT MUST BE REFERRED TO: {ORGANIZATION}

Template developed by: http://www.i-assure.com FOR OFFICIAL USE ONLY

http://www.i-assure.com/


Change RecordDate Version Author Changes Made / Section(s){DATE} 1.0.0 {ORGANIZATION} Initial Document

Amplifying Guidancei. DoD Instruction 5200.08, "Security of DoD Installations and Resources and the DoD Physical

Security Review Board (PSRB)" ii. DoD Regulation 5200.08-R, "Physical Security Program", as amended



http://www.dtic.mil/whs/directives/corres/pdf/520008_2005_ch3.pdf

http://www.dtic.mil/whs/directives/corres/pdf/520008r.pdf


Table of Contents1.0 OVERVIEW.......................................................................................................................................1

2.0 PHYSICAL AND ENVIRONMENTAL PROTECTION.............................................................................2

2.1 Physical Access Authorizations...................................................................................................2

2.2 Physical Access Control...............................................................................................................2

2.2.1 Penetration Testing.............................................................................................................2

2.2.2 Facility Entry and Exit Points...............................................................................................3

2.2.3 Publicly Accessible Areas....................................................................................................3

2.2.4 Visitor Escorts and Monitoring...........................................................................................3

2.2.5 Key and Combination Procedures.......................................................................................3

2.3 Access Control for Transmission Medium..................................................................................3

2.4 Access Control for Output Devices.............................................................................................4

2.5 Monitoring Physical Access.........................................................................................................4

2.5.1 Video Surveillance...............................................................................................................4

2.5.2 Inspection/Assessment Records.........................................................................................5

3.0 VISITOR CONTROL...........................................................................................................................5

3.1 Visitor Access Records................................................................................................................5

4.0 PHYSICAL CONTROLS.......................................................................................................................5

4.1 Power Equipment and Cabling....................................................................................................5

4.2 Emergency Shutoff......................................................................................................................6

4.3 Emergency Power.......................................................................................................................7

4.4 Emergency Lighting.....................................................................................................................7

5.0 ENVIRONMENTAL CONTROLS.........................................................................................................8

5.1 Fire Protection.............................................................................................................................8

5.2 Temperature and Humidity Controls..........................................................................................9

5.3 Water Damage Protection..........................................................................................................9

6.0 DELIVERY AND REMOVAL.............................................................................................................10

7.0 ALTERNATE WORK SITE.................................................................................................................11

8.0 LOCATION OF INFORMATION SYSTEM COMPONENTS................................................................11

8.1 System Position.........................................................................................................................11

8.2 System Hazards.........................................................................................................................12

9.0 INFORMATION LEAKAGE...............................................................................................................12




10.0 ASSET MONITORING AND TRACKING...........................................................................................13

APPENDIX A – DETAILED COMPLIANCE MATRIX......................................................................................14

ENCLOSURE 1 – ACCESS LIST.....................................................................................................................71

ENCLOSURE 2 – VISITOR ACCESS LOG.......................................................................................................73

ENCLOSURE 3 – DELIVERY AND REMOVAL LOG.......................................................................................75

ENCLOSURE 4 – DAILY PHYSICAL SECURITY CHECKLIST............................................................................77

Table 1 - SP-800-53v4 Compliance Matrix...................................................................................................1Table 2 – Physical Access Control................................................................................................................2Table 3 – Facility Entry and Exit Points........................................................................................................3Table 4 – Key and Combination Procedures.................................................................................................3Table 5 – Distribution and Transmission Lines.............................................................................................4Table 6 – Access Control for Output Devices................................................................................................4Table 7 – Video Surveillance........................................................................................................................4Table 8 – Emergency Power.........................................................................................................................7Table 9 – Fire Protection Roles.....................................................................................................................8Table 10 – Water Damage Control Roles...................................................................................................10Table 11 – Water Presence Detection........................................................................................................10Table 12 – Delivery and Removal Procedures............................................................................................11Table 13 – Alternate Worksite Controls.....................................................................................................11Table 14 – System Hazards........................................................................................................................12Table 15 – Asset Monitoring and Tracking................................................................................................13




1.0 OVERVIEWThe physical security program is that part of security concerned with active and passive measures designed to prevent unauthorized access to personnel, equipment, installations, information, and to safeguard them against espionage, sabotage, terrorism, damage, and criminal activity. Physical security is a primary command responsibility.

This plan ensures that {ACRONYM} implements physical security to preserve the confidentiality, integrity, and availability of {ACRONYM} information system resources.

This document complies with the following requirements from NIST Special Publication 800-53 Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations". A detailed compliance matrix can be found in Appendix A, “Detailed Compliance Matrix”.

CNTL NO. CONTROL NAME PRIORITY LOW MOD HIGHPE-1 Physical and Environmental

Protection Policy and Procedures

P1 PE-1 PE-1 PE-1

PE-2 Physical Access Authorizations

P1 PE-2 PE-2 PE-2

PE-3 Physical Access Control P1 PE-3 PE-3 PE-3 (1)PE-4 Access Control for

Transmission MediumP1 Not Selected PE-4 PE-4

PE-5 Access Control for Output Devices

P2 Not Selected PE-5 PE-5

PE-6 Monitoring Physical Access P1 PE-6 PE-6 (1) PE-6 (1) (4)PE-7 Visitor Control Not Selected Not Selected Not SelectedPE-8 Visitor Access Records P3 PE-8 PE-8 PE-8 (1)PE-9 Power Equipment and

CablingP1 Not Selected PE-9 PE-9

PE-10 Emergency Shutoff P1 Not Selected PE-10 PE-10PE-11 Emergency Power P1 Not Selected PE-11 PE-11 (1)PE-12 Emergency Lighting P1 PE-12 PE-12 PE-12PE-13 Fire Protection P1 PE-13 PE-13 (3) PE-13 (1) (2) (3)PE-14 Temperature and Humidity

ControlsP1 PE-14 PE-14 PE-14

PE-15 Water Damage Protection P1 PE-15 PE-15 PE-15 (1)PE-16 Delivery and Removal P2 PE-16 PE-16 PE-16PE-17 Alternate Work Site P2 Not Selected PE-17 PE-17PE-18 Location of Information

System ComponentsP3 Not Selected Not Selected PE-18

PE-19 Information Leakage P0 Not Selected Not Selected Not SelectedPE-20 Asset Monitoring and

TrackingP0 Not Selected Not Selected Not Selected

Table 1 - SP-800-53v4 Compliance Matrix

FOR OFFICIAL USE ONLY 1


2.0 PHYSICAL AND ENVIRONMENTAL PROTECTION2.1 Physical Access AuthorizationsEnclosure 1 lists the personnel that have access to the facility where {ACRONYM} resides. The Access List has been formally approved and is reviewed every 90 days. All personnel have been authorized based on the appropriate roles and positions. Personnel must have two forms of identification. Examples of valid identification are:

DoD issued Common Access Card (CAC) Base issued ID Other Government issued ID State issued driver license Passport

It is {ACRONYM} policy that all Visitors must be escorted at all times in controlled areas. Visitors are required to sign the Visitor Log for access to any controlled area. All Visitors must be monitored by the Escort at all times. {ACRONYM} has not identified any Publicly Accessible areas.

{ACRONYM} issues all credentials through Base Security. The Personnel Security office verifies clearance information prior to identification being issued.

For personnel no longer requiring access, the Personnel Security Plan contains the credential revocation process and the Access List is updated to remove that person.

2.2 Physical Access ControlThe {ACRONYM} has not identified additional physical access authorizations. The following physical security safeguards have been implemented for {ACRONYM} to detect and prevent physical tampering or alteration of {ACRONYM} components:

Base Security – guard access at gate Facility Security – facility manned during workday and locked at night Keycard/Combination – only authorized personnel are listed in Access List and have credentials

The following table lists the {ACRONYM} components and the NIST SP 800-53 required information:

Component Location Guard/Alarm 24/7 Physical Casing Security SafeguardsAll assets Base Guard and

facility is alarmed N/A Yes. Listed above

Table 2 – Physical Access Control

2.2.1 Penetration TestingPhysical security penetration testing is not required per NIST 800-53.

2.2.2 Facility Entry and Exit PointsThe following table lists all entry/exit points for the facility housing {ACRONYM}:

Component Location Entry/Exit Point Access Control Access List Audit Log Required?

All Assets Locked Room Yes NoTable 3 – Facility Entry and Exit Points



2.2.3 Publicly Accessible AreasThe {ACRONYM} does not contain publicly accessible areas.

2.2.4 Visitor Escorts and MonitoringA CAC is required when entering the {ACRONYM}. For those personnel without a CAC, a Visit Request for base access must be processed. All Visitors must be escorted at all times in controlled areas. Visitors are required to sign the Visitor Log for access to any controlled area. All Visitors must be monitored by the Escort at all times.

2.2.5 Key and Combination Procedures{ACRONYM} has adequately secured its keys, combinations, and other physical devices.

The following devices are used for to gain physical access to {ACRONYM}:

Component Access Device Annual Review? Change Actions?

Notes

All assets Physical key Yes None. No security relevant events, lost keys, combinations compromised, or individuals are transferred or terminated

All assets Base Badge / CAC Yes None. Individuals are transfer or termination documented in Personnel Security Plan

Table 4 – Key and Combination Procedures

2.3 Access Control for Transmission Medium{ACRONYM} protects distribution and transmission lines to ensure unauthorized access does not occur. The following distribution and transmission lines, and their security safeguards, have been identified:

Distribution and Transmission Lines

Security Safeguards Notes

Ethernet All connections contained within the physically secure facility

No lines are outside of the {ACRONYM} control

Table 5 – Distribution and Transmission Lines

2.4 Access Control for Output DevicesThe {ACRONYM} has not identified additional access controls for output devices. The process for determining authorization to {ACRONYM} is contained within the Personnel Security Plan. The following output devices have been identified for {ACRONYM}:

Output Devices Controlled? Auditing set Per STIG Marked/Labeled (only Classified systems)

All assets (visual and physical)

Yes. Only authorized personnel have access.

Yes. CCI 2936 N/A. System is not Classified

Table 6 – Access Control for Output Devices



2.5 Monitoring Physical Access{ACRONYM} is actively monitoring all physical intrusion alarms and surveillance equipment. {ACRONYM} implements the following types of equipment:

Door sensors Badge System

{ACRONYM} recognizes the following types/classes of intrusions by automated mechanisms:

Invalid CAC – scanned at {ACRONYM} Gate Guard station Invalid Entry – Base Badge system records card swipe actions

The hardware/software associated with the intrusion system is separately accredited. All intrusions are reported to Base Security.

{ACRONYM} response actions include:

Denial of access Alarm sent to Base Security. Base Security then determines the appropriate response

2.5.1 Video SurveillanceDoes {ACRONYM} implement video surveillance?

☐ No☐ Yes

If Yes:

Location / Operational Area

Equipment Retained for 90 days?

{ACRONYM} Monitored?

Procedures?

Table 7 – Video Surveillance

2.5.2 Inspection/Assessment RecordsThe {ACRONYM} Access List is contained within Enclosure 1 and reviewed every 30 days. The following events or potential indications of events require an immediate review of physical access logs:

Mishandled or lost resource: Equipment was stolen, lost, or left accessible to unauthorized parties.

Local access: An unauthorized user was provided local physical access to {ACRONYM}. Abuse of resources: The physical destruction of {ACRONYM} by an unauthorized party.

The Incident Response Plan contains the review process and record of reviews concerning physical security events.

3.0 VISITOR CONTROL3.1 Visitor Access RecordsVisitor Access Records ensure only authorized personnel access the physical space in which {ACRONYM} resides. NIST SP 800-53 requires that these access records be automated.



Does {ACRONYM} implement automated mechanisms to facilitate the maintenance and review of access records?

☐ No☐ Yes

If Yes, have they been observed?☐ No☐ Yes

If Yes, have they been maintained for at least one year?☐ No☐ Yes

If Yes, have they been reviewed at least every 30 days?☐ No☐ Yes

4.0 PHYSICAL CONTROLS4.1 Power Equipment and Cabling{ACRONYM} is required to protect power equipment and power cabling. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.

The following protective measures have been implemented:

All power equipment is located on a physically secure military base. All power cabling is contained within a physically secure facility. Only authorized personnel can access the base and facility.

Are redundant power cabling paths installed?☐ No☐ Yes

If Yes, are they physically separated by at least one foot?☐ No☐ Yes

Does the system contain critical information system components?☒ No☐ Yes

If Yes, are automatic voltage control mechanisms are in place?☐ No☐ Yes

4.2 Emergency Shutoff{ACRONYM} is required to provide a capability to shut off the power to facilities or areas within facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms) in emergency situations. {ACRONYM} must install the emergency shutoff switches or devices near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off to facilitate safe and easy access for personnel. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.



Is an emergency shutoff switch or device installed?☐ No☐ Yes

If Yes, Is the switch/device near more than one egress point of the IT area?☐ No☐ Yes

If Yes, Is the switch/device labeled and protected by a cover?☐ No☐ Yes

4.3 Emergency Power{ACRONYM} is required to provide a capacity to implement uninterruptible power supply to {ACRONYM}. Uninterruptible power supply must have sufficient capacity to support orderly shutdown of {ACRONYM} or transition {ACRONYM} to long-term alternate power in the event of a primary power source loss. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.

Assets Power Requirements Power Supply Contingency PlanAll assets 1 hour of alternate power Generator/UPS Yes

Table 8 – Emergency Power

Is a long-term alternate power supply self-contained?☐ No☐ Yes

If Yes, Is the alternate power supply reliant on external power generation?☐ No☐ Yes

If No, Is the alternate power supply capable of maintaining minimally required operational capability or full operational capability in the event of an extended loss of the primary power source?

☐ No☐ Yes

4.4 Emergency Lighting{ACRONYM} is required to comply with established OSHA requirements by employing and maintaining emergency lighting for {ACRONYM}. Emergency lighting activates in the event of a power outage or disruption, and it covers emergency exits and evacuation routes within the facility. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.

Does {ACRONYM} support essential mission and/or business functions?☒ No☐ Yes

If yes, Is emergency lighting present?☐ No☐ Yes

If yes, does it cover emergency exits and evacuation routes within the facility?



☐ No☐ Yes

5.0 ENVIRONMENTAL CONTROLS5.1 Fire Protection{ACRONYM} is required to implement fire detection and suppression. Fire detection devices/systems for {ACRONYM} must activate automatically. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.

Are fire detection and suppression devices/systems available?☐ No☐ Yes

If Yes, are they supported by an independent energy source?☐ No☐ Yes

If Yes, do they activate automatically?☐ No☐ Yes

If Yes, do they activate automatically when the facility is not staffed?☐ No☐ Yes

If Yes, do they automatically activate to notify personnel or roles defined below in the event of a fire?

☐ No☐ Yes

Personnel/Role Automatic Notification NotesBase Fire Department Yes

Table 9 – Fire Protection Roles

Are fire protection systems inspected and documented at least annually?☐ No☐ Yes

If Yes, are all deficiencies identified resolved within 60 days?☐ No☐ Yes

5.2 Temperature and Humidity Controls{ACRONYM} is required to implement automatic temperature and humidity controls. Automatic temperature and humidity controls for {ACRONYM} must prevent fluctuations potentially harmful to {ACRONYM}. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.

Are automatic temperature and humidity controls available?



☐ No☐ Yes

If Yes, do they provide an alarm or notification of changes potentially harmful to personnel or equipment?

☐ No☐ Yes

If Yes, are they are set within DoD specified guidelines? (64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications)

☐ No☐ Yes

Are temperature and humidity levels continuously monitored unless manufacturer specifications allow for a wide enough tolerance that control is not required?

☐ No☐ Yes

5.3 Water Damage Protection{ACRONYM} is required to implement master shutoff valves for water sources. Master shutoff valves for {ACRONYM} must be installed and accessible. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.

Are master shutoff valves installed?☐ No☐ Yes

If Yes, is inspection documentation (e.g., inspection form, tag attached to valve) available?☐ No☐ Yes

The following list of key personnel have knowledge of location and activation procedures for master shutoff valves and any other relevant documents or records:

Personnel / Role Master Shutoff Valve Location NotesPublic Works {REQUIRED}

Table 10 – Water Damage Control Roles

Are water detection mechanisms installed?☐ No☐ Yes

If Yes, do they provide automated alerts upon water detection?☐ No☐ Yes



The following list identifies automated mechanisms to detect the presence of water in the vicinity of the information system and personnel or roles that are alerted:

Automated Mechanisms Personnel / Role NotesPublic Works

Table 11 – Water Presence Detection

6.0 DELIVERY AND REMOVALDelivery and removal of {ACRONYM} components must be documented to ensure the actions were authorized. The following process/documentation exists to ensure a detailed and accurate record of all {ACRONYM} components that enter and exit the facility exists:

Action Process / Documentation NotesEntrance into Facility Base Receiving All components must be delivered

to the Base Receiving office prior to distribution to the system. Base Receiving applies a unique tracking number to the component for inventory purposes.

Exit from Facility Disposal Process All components follow the {COMMAND} Disposal Policy or Surplus process for components that exit the facility.

Table 12 – Delivery and Removal Procedures

This plan documents all system components entering and exiting the facility and visually inspects the controls (e.g., logs, scans, etc.) to ensure implementation. Logs are contained in Enclosure 3.

7.0 ALTERNATE WORK SITE{ACRONYM} is required to implement physical security controls for alternate worksites. {ACRONYM} must define security controls to employ at alternate work sites, which must include all applicable building and safety codes for the {ACRONYM} environment. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility. This requirement does not apply to Telework activities.

Are alternate worksites authorized?☐ No☐ Yes

If Yes, are all security controls identified and all applicable to all building and safety codes?☐ No☐ Yes

The following list designates alternate worksite locations and requirement status:

Alternate Worksite Security Controls Contact Assessment Date Notes



Location InformationPE-2 thru PE-16, PE18 thru PE-20

Table 13 – Alternate Worksite Controls

8.0 LOCATION OF INFORMATION SYSTEM COMPONENTS8.1 System PositionIt is {ACRONYM} policy to position all system components in the following manner:

Deter viewing from unauthorized personnel Do not locate near water hazards Ensure proper HVAC temperature

Is {ACRONYM} positioned according to the environmental policy?☐ No☐ Yes

8.2 System Hazards{ACRONYM} planned the location of the facility where {ACRONYM} resides with regard to physical and environmental hazards. {ACRONYM} has determined that the following environmental and physical hazards are applicable:

Hazard Risk Level Risk Mitigation NotesENVIRONMENTAL HAZARDS

Dirt/Dust Low N/A Facility is cleaned weeklyWater/Fluids Low N/A Assets not located near

water/fluidHeat Low N/A Temperature controls in

placeCold Low N/A Temperature controls in

placeFlooding/Hurricane Low N/A Facility built to codeSnowfall Low N/A Facility built to codeFire Low N/A Fire alarm and

suppression systems are in place

PHYSICAL HAZARDSUnlocked doors Low N/A All doors are lockedExposed wiring Low N/A All wiring is to codeFacility structurally unsound

Low N/A Facility built to code

Spills Low N/A Spills immediately cleanedTable 14 – System Hazards

9.0 INFORMATION LEAKAGETEMPEST is a National Security Agency specification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST applies to Classified systems.



Is {ACRONYM} considered Classified?☐ No☐ Yes

If Yes, have measures to protect against compromising emanations been implemented according to DOD Directive S-5200.19?

☐ No☐ Yes

If Yes, has an examination of the TEMPEST countermeasures been reviewed and inspected to ensure those countermeasures have been implemented?

☐ No☐ Yes

10.0 ASSET MONITORING AND TRACKINGAsset monitoring and tracking ensures {ACRONYM} components are accounted for. {ACRONYM} tracks and monitor the location and movement of all components within controlled areas utilizing the following technologies:

Asset Controlled Area Technology Used Applicable Laws, Directives, Regulations, Policies?

All Assets Defined in SSP Documentation – Hardware List NoneAll Assets Defined in SSP ACAS – verify hardware list against

scansNone

All Assets Defined in SSP {LOCAL TECHNOLOGY} NoneTable 15 – Asset Monitoring and Tracking



APPENDIX A – DETAILED COMPLIANCE MATRIX



The following table provides traceability between this document and the Assessment Procedures contained within NIST Special Publication 800-53A Revision 4, "Assessing Security and Privacy Controls in Federal Information Systems and Organizations".

Control Number

Assessment Number

CCI Confidentiality Integrity Availability Assessment Procedures

Reference

PE-1 PE-1 (a) CCI-002908 HighModerateLow

HighModerateLow

HighModerateLow

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the roles as organizational personnel with physical and environmental protection responsibilities.

Automatically compliant with this CCI because they are covered at the DoD level


HighModerateLow

HighModerateLow

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the roles as organizational personnel with physical and environmental protection responsibilities.


PE-1 PE-1 (a) (1) CCI-000904 HighModerateLow

HighModerateLow

HighModerateLow

DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.

DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.




Control Number

Assessment Number


Reference


HighModerateLow

HighModerateLow

DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 5200.08 and DoD 5200.08-R

DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities.



HighModerateLow

HighModerateLow

DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.



HighModerateLow

HighModerateLow

DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 5200.08 and DoD 5200.08-R

DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities.


PE-1 PE-1 (b) (1) CCI-000907 HighModerateLow

HighModerateLow

HighModerateLow

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency reviewed annually - updated as appropriate but at least within 10 years of date of issuance.



HighModerateLow

HighModerateLow

DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.




Control Number

Assessment Number


Reference

DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. DoD has defined the frequency reviewed annually - updated as appropriate but at least within 10 years of date of issuance.


HighModerateLow

HighModerateLow

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency reviewed annually - updated as appropriate.



HighModerateLow

HighModerateLow

DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. DoD has defined the frequency reviewed annually - updated as appropriate.




Control Number

Assessment Number


Reference

PE-10 PE-10 (a) CCI-000956 HighModerate

The organization conducting the inspection/assessment obtains and examines documentation of the capability to shut off the power to facilities or areas within facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms) in emergency situations. The purpose is to validate the organization has provided the capability of shutting off power in emergency situations.

Section 4.2

PE-10 PE-10 (b) CCI-000957 HighModerate

The organization conducting the inspection/assessment will physically inspect emergency shutoff switches or devices for placement to validate the organization has installed the emergency shutoff switches or devices near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off to facilitate safe and easy access for personnel. DoD has defined the location as near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off.

Section 4.2



Control Number

Assessment Number


Reference


The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off.


PE-10 PE-10 (c) CCI-000959 HighModerate

The organization conducting the inspection/assessment will ensure that the inspected organization has protected emergency power shutoff capability. DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off.

Section 4.2

PE-11 PE-11 CCI-002955 HighModerate

The organization conducting the inspection/assessment obtains and examines documentation identifying the capacity of the implemented uninterruptible power supply, documentation identifying the power requirements of the system, and documentation identifying the contingency plan in the event of primary power source loss to ensure the organization being inspected/assessed provides uninterruptible power supply with sufficient capacity to support orderly shutdown of the system or transition the system to long-term alternate power in the event of a primary power source

Section 4.3



Control Number

Assessment Number


Reference

loss.PE-11 (1) PE-11 (1) CCI-000961 High The organization

conducting the inspection/assessment obtains and examines the list of physical IT assets within the boundary of the information system that require a long term alternate power supply. Physically inspect a sample from the list to ensure that long term power supply capability supporting minimal operational capability has been provided.

The system is not considered a HIGH level. Therefore, this AP is not applicable.

PE-11 (2) PE-11 (2) (a) CCI-002956 blank blank blank The organization conducting the inspection/assessment obtains and examines documentation identifying the implemented alternate power supply to ensure the organization being inspected/assessed implements a long-term alternate power supply for the information system that is self-contained.

NIST has not allocated this AP. Therefore, this AP is not applicable.

PE-11 (2) PE-11 (2) (b) CCI-002957 blank blank blank The organization conducting the inspection/assessment obtains and examines documentation identifying the implemented alternate power supply to ensure the organization being inspected/assessed implements a long-term alternate power supply for the information system that is not reliant on external power generation.




Control Number

Assessment Number


Reference

PE-11 (2) PE-11 (2) (c ) CCI-002958 blank blank blank The organization conducting the inspection/assessment obtains and examines documentation identifying the implemented alternate power supply to ensure the organization being inspected/assessed implements a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability or full operational capability in the event of an extended loss of the primary power source.


PE-12 PE-12 CCI-000963 HighModerateLow

The organization conducting the inspection/assessment conducts visual inspections and interviews physical security personnel to validate the organization is in compliance with established OSHA requirements by employing and maintaining emergency lighting for the information system, the emergency lighting activates in the event of a power outage or disruption, and it covers emergency exits and evacuation routes within the facility

Section 4.4

PE-12 (1) PE-12 (1) CCI-002959 blank blank blank The organization conducting the inspection/assessment inspects areas within the facility supporting essential missions to ensure emergency lighting is implemented.




Control Number

Assessment Number


Reference

PE-12 (1) PE-12 (1) CCI-002960 blank blank blank The organization conducting the inspection/assessment inspects areas within the facility supporting essential business functions to ensure emergency lighting is implemented.



The organization conducting the inspection/assessment will conduct visual observation and interview organizational personnel with responsibilities for fire detection and suppression devices/systems. The purpose of the reviews and interviews is to validate the fire suppression and detection devices/systems for the information system are supported by an independent energy source.

Section 5.1

PE-13 (1) PE-13 (1) CCI-002961 High The organization conducting the inspection/assessment obtains and examines the documented evidence of fire detection devices/systems to ensure the organization being inspected/assessed employs fire detection devices/systems for the information system that activate automatically.




Control Number

Assessment Number


Reference

PE-13 (1) PE-13 (1) CCI-002962 High The organization conducting the inspection/assessment obtains and examines the documented evidence of fire detection devices/systems to ensure the organization being inspected/assessed employs fire detection devices/systems for the information system that automatically activate to notify personnel or roles defined in PE-13 (1), CCI 2963 and emergency responders defined in PE-13 (1), CCI 2964 in the event of a fire.


PE-13 (1) PE-13 (1) CCI-002963 High The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be notified in the event of a fire. DoD has determined the personnel or roles are not appropriate to define at the Enterprise level.


PE-13 (1) PE-13 (1) CCI-002964 High The organization conducting the inspection/assessment obtains and examines the documented emergency responders to ensure the organization being inspected/assessed defines the emergency responders to be notified in the event of a fire. DoD has determined




Control Number

Assessment Number


Reference

the emergency responders are not appropriate to define at the Enterprise level.

PE-13 (2) PE-13 (2) CCI-002965 High The organization conducting the inspection/assessment obtains and examines the documented evidence of fire detection devices/systems to ensure the organization being inspected/assessed employs fire suppression devices/systems for the information system that provide automatic notification of any activation to organization-defined personnel or roles and organization defined emergency responders.


PE-13 (2) PE-13 (2) CCI-002966 High The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be automatically notified of any activation of fire suppression devices/systems for the information system. DoD has determined the personnel or roles are not appropriate to define at the Enterprise level.




Control Number

Assessment Number


Reference

PE-13 (2) PE-13 (2) CCI-002967 High The organization conducting the inspection/assessment obtains and examines the documented emergency responders to ensure the organization being inspected/assessed defines the emergency responders to be automatically notified of any activation of fire suppression devices/systems for the information system. DoD has determined the emergency responders are not appropriate to define at the Enterprise level.


PE-13 (3) PE-13 (3) CCI-000968 HighModerate

The organization conducting the inspection/assessment conducts visual inspections and interviews physical security/safety personnel to validate the organization has installed and implemented an automatic fire suppression capability which is operational during those times the facility is not staffed.

Section 5.1

PE-13 (4) PE-13 (4) CCI-002968 High The organization conducting the inspection/assessment obtains and examines the record of inspections to ensure the organization being inspected/assessed implements a process to undergo fire protection inspections by authorized and qualified inspectors annually. DoD has defined the frequency as annually.




Control Number

Assessment Number


Reference

PE-13 (4) PE-13 (4) CCI-002970 High The organization conducting the inspection/assessment obtains and examines past facility fire protection inspection reports and inspects the facility to ensure all deficiencies identified are resolved in 60 days. DoD has defined the time period as 60 days.


PE-13 (4) PE-13 (4) CCI-002969 High The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually.


PE-13 (4) PE-13 (4) CCI-002971 High The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 60 days.


PE-14 (1) PE-14 (1) CCI-000975 blank blank blank The organization conducting the inspection/assessment conducts visual inspections and interviews personnel responsible for maintaining automatic temperature and humidity controls to validate the organization is employing automatic temperature and humidity controls for the information system to prevent fluctuations potentially harmful to the information system.




Control Number

Assessment Number


Reference

PE-14 (2) PE-14 (2) CCI-000976 blank blank blank The organization conducting the inspection/assessment conducts visual inspections and interviews personnel responsible for maintaining automatic temperature and humidity controls to validate the inspected organization is employing automatic temperature and humidity controls that provide an alarm or notification of changes potentially harmful to personnel or equipment.




Control Number

Assessment Number


Reference


The organization conducting the inspection/assessment reviews temperature and humidity controls to validate that they are set within DoD specified guidelines. DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications.

Section 5.2



Control Number

Assessment Number


Reference


The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications.


PE-14 PE-14 (b) CCI-000973 HighModerateLow

The organization conducting the inspection/assessment will visually observe the inspected organization's independent monitoring device, obtain and examine audit logs, and interview physical security/safety personnel to validate the inspected organization monitors temperature and humidity levels continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required. DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough

Section 5.2



Control Number

Assessment Number


Reference

tolerance that control is not required.


The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required.



The organization conducting the inspection/assessment will inspect the master shutoff valves to ensure they are installed and accessible.

Section 5.3


The organization conducting the inspection/assessment will visually inspect master shutoff valve inspection documentation (e.g., inspection form, tag attached to valve).

Section 5.3


The organization conducting the inspection/assessment obtains and examines list of key personnel with knowledge of location and activation procedures for master shutoff valves and any other relevant documents or records. Interview key personnel from the list to determine if identified key personnel within the organization have knowledge of the master shutoff valves.

Section 5.3

PE-15 (1) PE-15 (1) CCI-002972 High The organization conducting the inspection/assessment obtains and examines documentation identifying water detection mechanisms to ensure the organization being




Control Number

Assessment Number


Reference

inspected/assessed implements automated mechanisms to detect the presence of water in the vicinity of the information system and alerts personnel or roles defined in PE-15 (1), CCI 2973.

PE-15 (1) PE-15 (1) CCI-002973 High The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be alerted when automated mechanisms detect the presence of water in the vicinity of the information system. DoD has determined the personnel or roles are not appropriate to define at the Enterprise level.



HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines records authorizing all system components entering and exiting the facility. DoD has defined the types of information system components as all system components.

Section 6.0


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines records monitoring all system components entering and exiting the facility. DoD has defined the types of information system components as all system components.

Section 6.0



Control Number

Assessment Number


Reference


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the physical and environmental protection plan to determine if controls have been documented for all system components entering and exiting the facility and visually inspects the controls (e.g., logs, scans, etc.) to ensure implementation. DoD has defined the types of information system components as all system components.

Section 6.0


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines records of physical entry and exit events to the facility. The purpose of the reviews is to ensure the organization is maintaining detailed and accurate records of information system components that enter and exit the facility. If the organization is following GRS 18, Section 12 they are automatically compliant.

Section 6.0


HighModerateLow

HighModerateLow

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the types of information system components as all system components.



HighModerate

HighModerate

The organization conducting the inspection/assessment obtains and examines the alternate work site

Section 7.0



Control Number

Assessment Number


Reference

policy of the organization being inspected/assessed to ensure the organization implements security controls defined in PE-17, CCI 2975 at alternate work sites.


HighModerate

HighModerate

The organization conducting the inspection/assessment obtains and examines the documented security controls to ensure the organization being inspected/assessed defines security controls to employ at alternate work sites, which must include all applicable building and safety codes for the information system's environment. DoD has determined the security controls are not appropriate to define at the Enterprise level, but must include all applicable building and safety codes for the information system's environment.

Section 7.0


HighModerate

HighModerate

The organization conducting the inspection/assessment obtains and examines:1. The procedures for assessing the effectiveness of alternate work site security controls.2. The audit records of assessments they have conducted of security controls effectiveness for alternate work sites.

Section 7.0

PE-17 PE-17 (c) CCI-000988 HighModerate

HighModerate

HighModerate

The organization conducting the inspection/assessment obtains and examines contact information for appropriate security personnel to ensure its accuracy and dissemination.

Section 7.0



Control Number

Assessment Number


Reference

PE-18 PE-18 CCI-000989 High The organization conducting the inspection/assessment reviews the physical and environmental protection policy developed in PE-1, CCI 000904 to validate that the systems have been positioned according to the environmental policy.


PE-18 PE-18 CCI-000991 High The organization conducting the inspection/assessment reviews the physical and environmental protection policy developed in PE-1, CCI 000904 to validate that the systems have been positioned according to the environmental policy.


PE-18 PE-18 CCI-002976 High The organization conducting the inspection/assessment obtains and examines the documented physical and environmental hazards to ensure the organization being inspected/assessed defines physical and environmental hazards that could cause potential damage to information system components within the facility. DoD has determined the physical and environmental hazards are not appropriate to define at the Enterprise level.


PE-18 (1) PE-18 (1) CCI-002977 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented rationale to ensure the organization being inspected/assessed plans the location or site of the facility where the information system resides with regard to physical and environmental hazards.




Control Number

Assessment Number


Reference

PE-18 (1) PE-18 (1) CCI-002978 blank blank blank The organization conducting the inspection/assessment obtains and examines the physical and environmental risk assessment to ensure the organization being inspected/assessed considers the physical and environmental hazards in its risk mitigation strategy for existing facilities.


PE-19 PE-19 CCI-000993 blank blank blank The organization conducting the inspection/assessment obtains and examines the TEMPEST countermeasures review and inspects the information system to ensure those countermeasures have been implemented.


PE-19 (1) PE-19 (1) CCI-000994 blank blank blank The organization conducting the inspection/assessment obtains and examines the TEMPEST countermeasures review and inspects the information system to ensure those countermeasures have been implemented.


PE-2 (1) PE-2 (1) CCI-000916 blank blank blank The organization conducting the inspection/assessment obtains and examines:1. The list of roles or positions that have access to the facility where the information system resides.2. The list of personnel assigned to those rolesRecommended:3. Access logs to verify access to the facility was authorized based on the appropriate roles and positions


PE-2 (2) PE-2 (2) CCI-000917 blank blank blank The organization conducting the inspection/assessment obtains and examines the inspected organization's physical security policy for requirements and implementation




Control Number

Assessment Number


Reference

guidance to have two forms of identification defined in PE-2 (2), CCI 2912 and physical access control logs or records; and any other relevant documents or records to validate compliance.

PE-2 (2) PE-2 (2) CCI-002912 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented a list of acceptable forms of identification to ensure the organization being inspected/assessed defines a list of acceptable forms of identification for visitor access to the facility where the information system resides. DoD has determined the list of acceptable forms of identification are not appropriate to define at the Enterprise level.


PE-2 (3) PE-2 (3) CCI-002913 blank blank blank The organization conducting the inspection/assessment obtains and examines the physical security policy to ensure the organization being inspected/assessed has selected one or more of the physical security requirements that must be met before unescorted access to the facility where the information system resides is granted




Control Number

Assessment Number


Reference

PE-2 (3) PE-2 (3) CCI-002914 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented credentials to ensure the organization being inspected/assessed defines the credentials required for personnel to have unescorted access to the facility where the information system resides. DoD has determined the credentials are not appropriate to define at the Enterprise level.



HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the list of personnel with authorized access to facilities where information systems reside to ensure it is current within every 90 days. The review process should also determine if the organization has identified and officially designated its publicly accessible areas where access authorization is not required. DoD has defined the frequency as every 90 days.

Enclosure 1


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the list of individuals currently authorized to access the facility where the information system resides and ensures it is formally approved.

Enclosure 1


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the list of individuals to ensure the organization being

Enclosure 1



Control Number

Assessment Number


Reference

inspected/assessed maintains a list of individuals currently authorized to access the facility where the information system resides.


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines documentation of credential issuing activities to ensure credentials are issued to personnel with authorized access.

Section 2.1

PE-2 PE-2 (c) CCI-000914 HighModerateLow

HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the audit records of the review actions to ensure that reviews are conducted every 90 days. DoD has defined the frequency as every 90 days.

Enclosure 1


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the review and approval actions documentation to ensure that personnel no longer requiring access have been removed from the authorized access list and their credentials have been revoked.

Section 2.1


HighModerateLow

HighModerateLow

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as every 90 days.




Control Number

Assessment Number


Reference

PE-20 PE-20 (a) CCI-002979 blank blank blank The organization conducting the inspection/assessment obtains and examines documentation reflecting asset location technologies in use to ensure the organization being inspected/assessed implements asset location technologies defined in PE-20, CCI 2980 to track and monitor the location and movement of assets defined in PE-20, CCI 2981 within controlled areas defined in PE-20, CCI 2982.


PE-20 PE-20 (a) CCI-002980 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented asset location technologies to ensure the organization being inspected/assessed defines asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas. DoD has determined the asset location technologies are not appropriate to define at the Enterprise level.




Control Number

Assessment Number


Reference

PE-20 PE-20 (a) CCI-002981 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented assets to ensure the organization being inspected/assessed defines the assets within the organization-defined controlled areas which are to be tracked and monitored for their location and movement. DoD has determined the assets are not appropriate to define at the Enterprise level.


PE-20 PE-20 (a) CCI-002982 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented controlled areas to ensure the organization being inspected/assessed defines controlled areas that the location and movement of organization-defined assets are tracked and monitored. DoD has determined the controlled areas are not appropriate to define at the Enterprise level.




Control Number

Assessment Number


Reference

PE-20 PE-20 (b) CCI-002983 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented list of any federal laws, Executive Orders, directives, regulations, policies, standards, and guidance applicable to the asset location technologies in use, as well as the documentation of asset tracking technologies per PE-20, CCI 2980, to ensure that the organization being inspected/assessed identifies any requirements (particularly privacy requirements) applicable to the asset tracking methodologies in use, and to ensure that the organization implements a process to meet those identified requirements.




Control Number

Assessment Number


Reference

PE-3 (1) PE-3 (1) CCI-000928 HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented list of additional physical access authorizations for the facility/facilities at physical spaces containing one or more components of the information system. The objective of the examination is to determine if the organization is enforcing additional physical access authorizations to areas of the facility at physical spaces containing one or more components of the information system defined in PE-3 (1), CCI 2926. These controls are independent of the physical access controls established for the facility.

Section 2.2



Control Number

Assessment Number


Reference

PE-3 (1) PE-3 (1) CCI-002926 HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented physical spaces to ensure the organization being inspected/assessed defines the physical spaces containing one or more components of the information system that require physical access authorizations and controls at the facility. DoD has determined the physical spaces are not appropriate to define at the Enterprise level.

Section 2.2

PE-3 (2) PE-3 (2) CCI-000929 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented procedures as well as the audit trail of security checks at the physical boundaru to ensure the organization being inspected/assessed performs security checks at the physical boundary of the facility or information system at a minimum, annually. DoD has defined the frequency as at a minimum, annually.


PE-3 (2) PE-3 (2) CCI-002927 blank blank blank The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as at a minimum, annually.


PE-3 (3) PE-3 (3) CCI-000930 blank blank blank The organization conducting the inspection/assessment obtains the list of guards or alarms for every physical access




Control Number

Assessment Number


Reference

point to the facility where the information system resides and visually verifies a sampling of access points to ensure the appropriate guard or alarm to monitor is in place 24 hours per day, 7 days per week.

PE-3 (4) PE-3 (4) CCI-000931 blank blank blank The organization conducting the inspection/assessment performs a sample inspection of the lockable physical casings. The objective of the reviews is to validate the organization is using lockable physical casings to protect organization-defined information system components from unauthorized physical access.


PE-3 (4) PE-3 (4) CCI-000932 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines information system components to be protected from unauthorized physical access using lockable physical casings. DoD has determined the information system components are not appropriate to define at the Enterprise level.




Control Number

Assessment Number


Reference

PE-3 (5) PE-3 (5) CCI-000933 blank blank blank The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed employs security safeguards defined in PE-3 (5), CCI 2928 to deter and or prevent physical tampering or alteration of hardware components defined in PE-3 (5), CCI 2929 within the information system.


PE-3 (5) PE-3 (5) CCI-002928 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines security safeguards to detect and prevent physical tampering or alteration of organization-defined hardware components within the information system. DoD has determined the security safeguards are not appropriate to define at the Enterprise level.




Control Number

Assessment Number


Reference

PE-3 (5) PE-3 (5) CCI-002929 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented hardware components to ensure the organization being inspected/assessed defines hardware components within the information system to employ organization-defined security safeguards to detect and prevent physical tampering or alteration. DoD has determined the hardware components are not appropriate to define at the Enterprise level.


PE-3 (6) PE-3 (6) CCI-000934 blank blank blank The organization conducting the inspection/assessment obtains and examines the inspected organization's physical security assessment plan and reviews documented results to ensure annual penetration testing of physical access points occurred. DoD has defined the frequency as annually.


PE-3 (6) PE-3 (6) CCI-000935 blank blank blank The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually.




Control Number

Assessment Number


Reference


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment performs a physical inspection of facility entry/exit points defined in PE-3, CCI 2915 to ensure that either physical access authorization controls are in place for those access points considered normal access points or are properly secured. Physical access points that are not documented or are not secured would be a failure of this control.

Section 2.2.2


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented entry/exit points and inspects the facility to ensure that all entry/exit points are documented. DoD has determined the entry/exit points are not appropriate to define at the Enterprise level.

Section 2.2.2


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the access authorization list of personnel that have access to the facility (per access list implemented through PE-2, CCI 000912) where the information system resides. Inspect selected facilities to confirm the inspected organization is granting access at all physical access points to only authorized personnel.

Enclosure 1


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented physical access control systems/devices to

Section 2.2Section 2.2.5



Control Number

Assessment Number


Reference

ensure the organization being inspected/assessed defines the physical access control systems/devices or guards that control ingress/egress to the facility. DoD has determined the physical access control systems/devices are not appropriate to define at the Enterprise level.


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the list of physical access control devices and/or guards in use defined in PE-3, CCI 2916 and conducts random inspections of entry points. The purpose is to determine whether the organization is using those physical access devices and/or guards to control entry of personnel into the facility hosting the information system.

Section 2.2Section 2.2.5



Control Number

Assessment Number


Reference


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains andexamines the physical access audit logs and compares the logged entry withknown access to those entry points to ensure the organization beinginspected/assessed maintains physical access audit logs for entry/exitpoints defined in PE-3, CCI 2918. Instances of access that will be compared with the audit logs include, at a minimum, access as part of the inspection/assessment. Comparison of otherentry/exit events required elsewhere in system documentation that would have occurred before the inspection/assessment such as daily checks and scheduledmaintenance are strongly encouraged and help to establish a history of compliance/non-compliance.

Base Badge SystemEnclosure 2


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented entry/exit points to ensure the organization being inspected/assessed defines entry/exit points that require physical access audit logs be maintained. DoD has determined the entry/exit points are not appropriate to define at the Enterprise level.

Section 2.2.2

PE-3 PE-3 (c ) CCI-002920 HighModerateLow

HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented

Section 2.2.3



Control Number

Assessment Number


Reference

security safeguards to ensure the organization being inspected/assessed defines security safeguards to control access to areas within the facility officially designated as publicly accessible. DoD has determined the security safeguards are not appropriate to define at the Enterprise level.

PE-3 PE-3 (c ) CCI-002919 HighModerateLow

HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documentation of areas officially designated as publicly accessible to ensure the organization being inspected/assessed provides security safeguards defined in PE-3, CCI 2920 to control access to areas within the facility officially designated as publicly accessible.

Section 2.2.3

PE-3 PE-3 (d) CCI-002922 HighModerateLow

HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented circumstances to ensure the organization being inspected/assessed defines circumstances requiring visitor escorts. DoD has determined the circumstances are not appropriate to define at the Enterprise level.

Section 2.2.4


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed escorts visitors during circumstances defined in PE-3, CCI 2922 requiring visitor

Section 2.2.4



Control Number

Assessment Number


Reference

escorts.PE-3 PE-3 (d) CCI-002924 High

ModerateLow

HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented circumstances to ensure the organization being inspected/assessed defines circumstances requiring visitor monitoring. DoD has determined the circumstances are not appropriate to define at the Enterprise level.

Section 2.2.4


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed monitors visitor activity during circumstances defined in PE-3, CCI 2924 requiring visitor monitoring.

Section 2.2.4

PE-3 PE-3 (e) CCI-000923 HighModerateLow

HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment conducts physical inspections and interviews physical security/safety personnel to validate the organization has taken the proper precautions, and established the proper procedures to ensure it has adequately secured its keys, combinations, and other physical devices.

Section 2.2.5



Control Number

Assessment Number


Reference

PE-3 PE-3 (f) CCI-000924 HighModerateLow

HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the records of inventory of minimally keys or any other physical token used to gain access to ensure the inventory is being conducted annually. DoD has defined the frequency as annually. DoD has defined the physical access devices as minimally keys or any other physical token used to gain access.

Section 2.2.5


HighModerateLow

HighModerateLow

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the physical access devices as minimally keys or any other physical token used to gain access.



HighModerateLow

HighModerateLow

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually.




Control Number

Assessment Number


Reference

PE-3 PE-3 (g) CCI-000926 HighModerateLow

HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines documentation of these change actions to validate the organization is changing its keys and combinations upon occurrence of security relevant events and when keys are lost, combinations are compromised, or individuals are transferred or terminated. DoD has defined the frequency as required by security relevant events.

Section 2.2.5

PE-3 PE-3 (g) CCI-000927 HighModerateLow

HighModerateLow

HighModerateLow

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as required by security relevant event.



HighModerate

The organization conducting the inspection/assessment inspects the information system distribution and transmission lines defined in PE-4, CCI 2930 to ensure the security safeguards defined in PE-4, CCI 2931 are in place.

Section 2.3



Control Number

Assessment Number


Reference


HighModerate

The organization conducting the inspection/assessment obtains and examines the documented information system distribution and transmission lines to ensure the organization being inspected/assessed defines information system distribution and transmission lines within organizational facilities to control physical access using organization-defined security safeguards. DoD has determined the information system distribution and transmission lines are not appropriate to define at the Enterprise level.

Section 2.3


HighModerate

The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines security safeguards to control physical access to organization-defined information system distribution and transmission lines within organizational facilities. DoD has determined the security safeguards are not appropriate to define at the

Section 2.3



Control Number

Assessment Number


Reference

Enterprise level.PE-5 PE-5 CCI-000937 High

Moderate The organization

conducting the inspection/assessment obtains and examines the list of additional access controls for output devices. Physical inspection is required to ensure these access controls are properly implemented.

Section 2.4

PE-5 (1) PE-5 (1) (a) CCI-002932 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented process and inspects the physical access controls surrounding a sampling of output devices to ensure the organization being inspected/assessed controls physical access to output from output devices defined in PE-5 (1), CCI 2933.


PE-5 (1) PE-5 (1) (a) CCI-002933 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented output devices to ensure the organization being inspected/assessed defines output devices for which physical access to output is controlled. DoD has determined the output devices are not appropriate to define at the Enterprise level.




Control Number

Assessment Number


Reference

PE-5 (1) PE-5 (1) (b) CCI-002934 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented process and inspects the physical access controls surrounding a sampling of output devices to ensure the organization being inspected/assessed ensures that only authorized individuals receive output from the output device defined in PE-5 (1), CCI 2933.




Control Number

Assessment Number


Reference

PE-5 (2) PE-5 (2) (a) CCI-002935 blank blank blank The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to control physical access to output from output devices defined in PE-5 (1), CCI 2933. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2935.




Control Number

Assessment Number


Reference

PE-5 (2) PE-5 (2) (b) CCI-002936 blank blank blank The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to link individual identity to receipt of the output from the output device defined in PE-5 (1), CCI 2933. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2936.




Control Number

Assessment Number


Reference

PE-5 (3) PE-5 (3) CCI-002937 blank blank blank The organization conducting the inspection/assessment inspects a sampling of information system components to ensure the organization being inspected/assessed marks all devices if the organizational facility contains classified information indicating the appropriate security marking of the information permitted to be output from the device. DoD has defined the information system output devices as all devices if the organizational facility contains classified information.


PE-5 (3) PE-5 (3) CCI-002938 blank blank blank The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the information system output devices as all devices if the organizational facility contains classified information.


PE-6 (1) PE-6 (1) CCI-000942 HighModerate

HighModerate

HighModerate

The organization conducting the inspection/assessment will observe and interview security personnel conducting monitoring activities to validate the organization is actively monitoring all physical intrusion alarms and surveillance equipment.

Section 2.5



Control Number

Assessment Number


Reference

PE-6 (2) PE-6 (2) CCI-002942 blank blank blank The organization conducting the inspection/assessment obtains and examines hardware/software lists and/or any other documentation showing the use of automated intrusion detection systems to ensure the organization being inspected/assessed implements automated mechanisms to recognize classes/types of intrusions defined in PE-6 (2), CCI 2943.


PE-6 (2) PE-6 (2) CCI-002943 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented classes/types of intrusion to ensure the organization being inspected/assessed defines classes/types of intrusions to recognize using automated mechanisms. DoD has determined the classes/types of intrusions are not appropriate to define at the Enterprise level.


PE-6 (2) PE-6 (2) CCI-002944 blank blank blank The organization conducting the inspection/assessment obtains and examines hardware/software lists and/or any other documentation showing the use of automated intrusion detection systems to ensure the organization being inspected/assessed implements automated mechanisms to initiate response actions defined in PE-6 (2), CCI 2945 to classes/types of intrusions defined in PE-6 (2), CCI 2943.




Control Number

Assessment Number


Reference

PE-6 (2) PE-6 (2) CCI-002945 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented response actions to ensure the organization being inspected/assessed defines response actions to initiate when organization-defined classes/types of intrusions are recognized. DoD has determined the response actions are not appropriate to define at the Enterprise level.


PE-6 (3) PE-6 (3) CCI-002946 blank blank blank The organization conducting the inspection/assessment obtains and examines the documentation of video surveillance a sampling of recorded video surveillance to ensure the organization being inspected/assessed employs video surveillance of operational areas defined in PE-6 (3), CCI 2947.


PE-6 (3) PE-6 (3) CCI-002947 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented operational areas to ensure the organization being inspected/assessed defines the operational areas to employ video surveillance. DoD has determined the operational areas are not appropriate to define at the Enterprise level.




Control Number

Assessment Number


Reference

PE-6 (3) PE-6 (3) CCI-002948 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented process and a sampling of recordings from within 90 days to ensure the organization being inspected/assessed retains video surveillance recordings for at a minimum 90 days. DoD has defined the time period as at a minimum 90 days.


PE-6 (3) PE-6 (3) CCI-002949 blank blank blank The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as at a minimum 90 days.


PE-6 (4) PE-6 (4) CCI-002950 High High High The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of monitoring to ensure the organization being inspected/assessed monitors physical access to the information system in addition to the physical access monitoring of the facility as physical spaces containing one or more components of the information system defined in PE-6 (4), CCI 2951.




Control Number

Assessment Number


Reference

PE-6 (4) PE-6 (4) CCI-002951 High High High The organization conducting the inspection/assessment obtains and examines the documented physical spaces to ensure the organization being inspected/assessed defines physical spaces containing one or more components of the information system in which physical access is monitored. DoD has determined the physical spaces are not appropriate to define at the Enterprise level.



HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the inspected organization's monitoring procedures addressing physical access monitoring. Organizational personnel with physical access monitoring responsibilities are to be interviewed. The objective of the reviews and interviews is to validate the organization is actively monitoring its physical access intrusion alarms and surveillance equipment to detect and respond to all physical access security incidents.

Section 2.5



Control Number

Assessment Number


Reference


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the inspected organization's physical access logs or records; physical access incident reports; and any other relevant documents or records. The purpose of the reviews is to determine if the organization is conducting reviews of the physical access logs every 30 days. DoD has defined the frequency as every 30 days.

Section 2.5


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented events or potential indications of events to ensure the organization being inspected/assessed defines events or potential indications of events requiring review of physical access logs. DoD has determined the events or potential indications of events are not appropriate to define at the Enterprise level.

Section 2.5


HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of reviews to ensure the organization being inspected/assessed reviews physical access logs upon occurrence of events or potential indications of events defined in PE-6, CCI 2941.

Section 2.5



Control Number

Assessment Number


Reference


HighModerateLow

HighModerateLow




HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines documentation of physical security incidents to ensure coordination with the inspected organization's incident response capability occurred.

Section 2.5Incident Response Plan

PE-8 (1) PE-8 (1) CCI-000950 High High The organization conducting the inspection/assessment:1. obtains documentation identifying the automated mechanism in use by the inspected organization to facilitate the maintenance and review of access records2. Observes the use of the automated mechanism by the inspected organization



HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines visitor access records to determine if the organization is maintaining visitor access records to the facility where the information system resides for at least one year. DoD has defined the time period as at least one year.

Section 3.1Enclosure 2



Control Number

Assessment Number


Reference


HighModerateLow

HighModerateLow

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as at least one year.



HighModerateLow

HighModerateLow

The organization conducting the inspection/assessment obtains and examines the audit documentation of visitor access record review to ensure the inspected organization is conducting reviews every 30 days. DoD has defined the frequency as every 30 days.

Section 3.1Enclosure 2


HighModerateLow

HighModerateLow




The organization conducting the inspection/assessment obtains and examines the list of protective measures. Physical inspection of power equipment and power cabling will be done to ensure identified protective measures are in place.

Section 4.1



Control Number

Assessment Number


Reference

PE-9 (1) PE-9 (1) CCI-002953 blank blank blank The organization conducting the inspection/assessment obtains and examines cabling diagrams or, if unavailable, inspects power cabling configuration to ensure the organization being inspected/assessed employs redundant power cabling paths that are physically separated by the distance defined in PE-9 (1), CCI 2954.


PE-9 (1) PE-9 (1) CCI-002954 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented distance to ensure the organization being inspected/assessed defines the distance to physically separate redundant power cabling paths. DoD has determined the distance is not appropriate to define at the Enterprise level.


PE-9 (2) PE-9 (2) CCI-000954 blank blank blank The organization conducting the inspection/assessment obtains the documentation of the all mission critical IT Components required to have automatic voltage controls mechanisms devices in place (IAW PE-9 (2), CCI 955) and does a visual inspection of at least a sample of the above list to ensure automatic voltage control mechanisms are in place. DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions.




Control Number

Assessment Number


Reference

PE-9 (2) PE-9 (2) CCI-000955 blank blank The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions.




ENCLOSURE 1 – AUTHORIZED PERSONNEL ACCESS LIST



Authorized Personnel Access ListPersonnel Name Organization

The above personnel are authorized access to {ACRONYM}. This roster is reviewed at least every 90 days.


X


ENCLOSURE 2 – VISITOR ACCESS LOG



ENCLOSURE 3 – DELIVERY AND REMOVAL LOG



Delivery and Removal LogComponent Entry/Exit Date Notes



ENCLOSURE 4 – DAILY PHYSICAL SECURITY CHECKLIST



ACTIVITY SECURITY CHECKLIST DIVISION/BRANCH/OFFICE ROOM NUMBER MONTH AND YEAREnter text. Enter text. Enter text.

Irregularities discovered will be promptly reported to the designated Security Office for corrective action.

STATEMENTI have conducted a security inspection of this work area and checked all the items listed below.

TO (if required) FROM (if required) THROUGH (if required)Enter text. Enter text. Enter text.

*ITEM 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

1 Enter text.2 Enter text.3 Enter text.4 Enter text.5 Enter text.6 Enter text.7 Enter text.8 Enter text.9 Enter text.10 Enter text.11 Enter text.12 Enter text.13 Enter text.14 Enter text.15 Enter text.


physical and environmental protection plan · web viewdod regulation 5200.08-r, "physical...

Documents