physical and environmental protection plan · web viewdod regulation 5200.08-r, "physical...
TRANSCRIPT
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
{COMMAND}
{SYSTEM NAME} {ACRONYM}System Version: {VERSION}
eMASS# {EMASS#}
Confidentiality: {CONFIDENTIALITY}Integrity: {INTEGRITY}
Availability: {AVAILABILITY}
Department of the {SERVICE}
{LOGO}
Physical and Environmental Protection Plan
Document Version: 1.0.0
{DATE}
Prepared by: {ORGANIZATION}
DISTRIBUTION IS LIMITED TO U.S. GOVERNMENT AGENCIES AND THEIR CONTRACTORS.OTHER REQUESTS FOR THIS DOCUMENT MUST BE REFERRED TO: {ORGANIZATION}
Template developed by: http://www.i-assure.com FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Change RecordDate Version Author Changes Made / Section(s){DATE} 1.0.0 {ORGANIZATION} Initial Document
Amplifying Guidancei. DoD Instruction 5200.08, "Security of DoD Installations and Resources and the DoD Physical
Security Review Board (PSRB)" ii. DoD Regulation 5200.08-R, "Physical Security Program", as amended
Template developed by: http://www.i-assure.com FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Table of Contents1.0 OVERVIEW.......................................................................................................................................1
2.0 PHYSICAL AND ENVIRONMENTAL PROTECTION.............................................................................2
2.1 Physical Access Authorizations...................................................................................................2
2.2 Physical Access Control...............................................................................................................2
2.2.1 Penetration Testing.............................................................................................................2
2.2.2 Facility Entry and Exit Points...............................................................................................3
2.2.3 Publicly Accessible Areas....................................................................................................3
2.2.4 Visitor Escorts and Monitoring...........................................................................................3
2.2.5 Key and Combination Procedures.......................................................................................3
2.3 Access Control for Transmission Medium..................................................................................3
2.4 Access Control for Output Devices.............................................................................................4
2.5 Monitoring Physical Access.........................................................................................................4
2.5.1 Video Surveillance...............................................................................................................4
2.5.2 Inspection/Assessment Records.........................................................................................5
3.0 VISITOR CONTROL...........................................................................................................................5
3.1 Visitor Access Records................................................................................................................5
4.0 PHYSICAL CONTROLS.......................................................................................................................5
4.1 Power Equipment and Cabling....................................................................................................5
4.2 Emergency Shutoff......................................................................................................................6
4.3 Emergency Power.......................................................................................................................7
4.4 Emergency Lighting.....................................................................................................................7
5.0 ENVIRONMENTAL CONTROLS.........................................................................................................8
5.1 Fire Protection.............................................................................................................................8
5.2 Temperature and Humidity Controls..........................................................................................9
5.3 Water Damage Protection..........................................................................................................9
6.0 DELIVERY AND REMOVAL.............................................................................................................10
7.0 ALTERNATE WORK SITE.................................................................................................................11
8.0 LOCATION OF INFORMATION SYSTEM COMPONENTS................................................................11
8.1 System Position.........................................................................................................................11
8.2 System Hazards.........................................................................................................................12
9.0 INFORMATION LEAKAGE...............................................................................................................12
Template developed by: http://www.i-assure.com FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
10.0 ASSET MONITORING AND TRACKING...........................................................................................13
APPENDIX A – DETAILED COMPLIANCE MATRIX......................................................................................14
ENCLOSURE 1 – ACCESS LIST.....................................................................................................................71
ENCLOSURE 2 – VISITOR ACCESS LOG.......................................................................................................73
ENCLOSURE 3 – DELIVERY AND REMOVAL LOG.......................................................................................75
ENCLOSURE 4 – DAILY PHYSICAL SECURITY CHECKLIST............................................................................77
Table 1 - SP-800-53v4 Compliance Matrix...................................................................................................1Table 2 – Physical Access Control................................................................................................................2Table 3 – Facility Entry and Exit Points........................................................................................................3Table 4 – Key and Combination Procedures.................................................................................................3Table 5 – Distribution and Transmission Lines.............................................................................................4Table 6 – Access Control for Output Devices................................................................................................4Table 7 – Video Surveillance........................................................................................................................4Table 8 – Emergency Power.........................................................................................................................7Table 9 – Fire Protection Roles.....................................................................................................................8Table 10 – Water Damage Control Roles...................................................................................................10Table 11 – Water Presence Detection........................................................................................................10Table 12 – Delivery and Removal Procedures............................................................................................11Table 13 – Alternate Worksite Controls.....................................................................................................11Table 14 – System Hazards........................................................................................................................12Table 15 – Asset Monitoring and Tracking................................................................................................13
Template developed by: http://www.i-assure.com FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
1.0 OVERVIEWThe physical security program is that part of security concerned with active and passive measures designed to prevent unauthorized access to personnel, equipment, installations, information, and to safeguard them against espionage, sabotage, terrorism, damage, and criminal activity. Physical security is a primary command responsibility.
This plan ensures that {ACRONYM} implements physical security to preserve the confidentiality, integrity, and availability of {ACRONYM} information system resources.
This document complies with the following requirements from NIST Special Publication 800-53 Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations". A detailed compliance matrix can be found in Appendix A, “Detailed Compliance Matrix”.
CNTL NO. CONTROL NAME PRIORITY LOW MOD HIGHPE-1 Physical and Environmental
Protection Policy and Procedures
P1 PE-1 PE-1 PE-1
PE-2 Physical Access Authorizations
P1 PE-2 PE-2 PE-2
PE-3 Physical Access Control P1 PE-3 PE-3 PE-3 (1)PE-4 Access Control for
Transmission MediumP1 Not Selected PE-4 PE-4
PE-5 Access Control for Output Devices
P2 Not Selected PE-5 PE-5
PE-6 Monitoring Physical Access P1 PE-6 PE-6 (1) PE-6 (1) (4)PE-7 Visitor Control Not Selected Not Selected Not SelectedPE-8 Visitor Access Records P3 PE-8 PE-8 PE-8 (1)PE-9 Power Equipment and
CablingP1 Not Selected PE-9 PE-9
PE-10 Emergency Shutoff P1 Not Selected PE-10 PE-10PE-11 Emergency Power P1 Not Selected PE-11 PE-11 (1)PE-12 Emergency Lighting P1 PE-12 PE-12 PE-12PE-13 Fire Protection P1 PE-13 PE-13 (3) PE-13 (1) (2) (3)PE-14 Temperature and Humidity
ControlsP1 PE-14 PE-14 PE-14
PE-15 Water Damage Protection P1 PE-15 PE-15 PE-15 (1)PE-16 Delivery and Removal P2 PE-16 PE-16 PE-16PE-17 Alternate Work Site P2 Not Selected PE-17 PE-17PE-18 Location of Information
System ComponentsP3 Not Selected Not Selected PE-18
PE-19 Information Leakage P0 Not Selected Not Selected Not SelectedPE-20 Asset Monitoring and
TrackingP0 Not Selected Not Selected Not Selected
Table 1 - SP-800-53v4 Compliance Matrix
FOR OFFICIAL USE ONLY 1
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
2.0 PHYSICAL AND ENVIRONMENTAL PROTECTION2.1 Physical Access AuthorizationsEnclosure 1 lists the personnel that have access to the facility where {ACRONYM} resides. The Access List has been formally approved and is reviewed every 90 days. All personnel have been authorized based on the appropriate roles and positions. Personnel must have two forms of identification. Examples of valid identification are:
DoD issued Common Access Card (CAC) Base issued ID Other Government issued ID State issued driver license Passport
It is {ACRONYM} policy that all Visitors must be escorted at all times in controlled areas. Visitors are required to sign the Visitor Log for access to any controlled area. All Visitors must be monitored by the Escort at all times. {ACRONYM} has not identified any Publicly Accessible areas.
{ACRONYM} issues all credentials through Base Security. The Personnel Security office verifies clearance information prior to identification being issued.
For personnel no longer requiring access, the Personnel Security Plan contains the credential revocation process and the Access List is updated to remove that person.
2.2 Physical Access ControlThe {ACRONYM} has not identified additional physical access authorizations. The following physical security safeguards have been implemented for {ACRONYM} to detect and prevent physical tampering or alteration of {ACRONYM} components:
Base Security – guard access at gate Facility Security – facility manned during workday and locked at night Keycard/Combination – only authorized personnel are listed in Access List and have credentials
The following table lists the {ACRONYM} components and the NIST SP 800-53 required information:
Component Location Guard/Alarm 24/7 Physical Casing Security SafeguardsAll assets Base Guard and
facility is alarmed N/A Yes. Listed above
Table 2 – Physical Access Control
2.2.1 Penetration TestingPhysical security penetration testing is not required per NIST 800-53.
2.2.2 Facility Entry and Exit PointsThe following table lists all entry/exit points for the facility housing {ACRONYM}:
Component Location Entry/Exit Point Access Control Access List Audit Log Required?
All Assets Locked Room Yes NoTable 3 – Facility Entry and Exit Points
FOR OFFICIAL USE ONLY 2
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
2.2.3 Publicly Accessible AreasThe {ACRONYM} does not contain publicly accessible areas.
2.2.4 Visitor Escorts and MonitoringA CAC is required when entering the {ACRONYM}. For those personnel without a CAC, a Visit Request for base access must be processed. All Visitors must be escorted at all times in controlled areas. Visitors are required to sign the Visitor Log for access to any controlled area. All Visitors must be monitored by the Escort at all times.
2.2.5 Key and Combination Procedures{ACRONYM} has adequately secured its keys, combinations, and other physical devices.
The following devices are used for to gain physical access to {ACRONYM}:
Component Access Device Annual Review? Change Actions?
Notes
All assets Physical key Yes None. No security relevant events, lost keys, combinations compromised, or individuals are transferred or terminated
All assets Base Badge / CAC Yes None. Individuals are transfer or termination documented in Personnel Security Plan
Table 4 – Key and Combination Procedures
2.3 Access Control for Transmission Medium{ACRONYM} protects distribution and transmission lines to ensure unauthorized access does not occur. The following distribution and transmission lines, and their security safeguards, have been identified:
Distribution and Transmission Lines
Security Safeguards Notes
Ethernet All connections contained within the physically secure facility
No lines are outside of the {ACRONYM} control
Table 5 – Distribution and Transmission Lines
2.4 Access Control for Output DevicesThe {ACRONYM} has not identified additional access controls for output devices. The process for determining authorization to {ACRONYM} is contained within the Personnel Security Plan. The following output devices have been identified for {ACRONYM}:
Output Devices Controlled? Auditing set Per STIG Marked/Labeled (only Classified systems)
All assets (visual and physical)
Yes. Only authorized personnel have access.
Yes. CCI 2936 N/A. System is not Classified
Table 6 – Access Control for Output Devices
FOR OFFICIAL USE ONLY 3
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
2.5 Monitoring Physical Access{ACRONYM} is actively monitoring all physical intrusion alarms and surveillance equipment. {ACRONYM} implements the following types of equipment:
Door sensors Badge System
{ACRONYM} recognizes the following types/classes of intrusions by automated mechanisms:
Invalid CAC – scanned at {ACRONYM} Gate Guard station Invalid Entry – Base Badge system records card swipe actions
The hardware/software associated with the intrusion system is separately accredited. All intrusions are reported to Base Security.
{ACRONYM} response actions include:
Denial of access Alarm sent to Base Security. Base Security then determines the appropriate response
2.5.1 Video SurveillanceDoes {ACRONYM} implement video surveillance?
☐ No☐ Yes
If Yes:
Location / Operational Area
Equipment Retained for 90 days?
{ACRONYM} Monitored?
Procedures?
Table 7 – Video Surveillance
2.5.2 Inspection/Assessment RecordsThe {ACRONYM} Access List is contained within Enclosure 1 and reviewed every 30 days. The following events or potential indications of events require an immediate review of physical access logs:
Mishandled or lost resource: Equipment was stolen, lost, or left accessible to unauthorized parties.
Local access: An unauthorized user was provided local physical access to {ACRONYM}. Abuse of resources: The physical destruction of {ACRONYM} by an unauthorized party.
The Incident Response Plan contains the review process and record of reviews concerning physical security events.
3.0 VISITOR CONTROL3.1 Visitor Access RecordsVisitor Access Records ensure only authorized personnel access the physical space in which {ACRONYM} resides. NIST SP 800-53 requires that these access records be automated.
FOR OFFICIAL USE ONLY 4
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Does {ACRONYM} implement automated mechanisms to facilitate the maintenance and review of access records?
☐ No☐ Yes
If Yes, have they been observed?☐ No☐ Yes
If Yes, have they been maintained for at least one year?☐ No☐ Yes
If Yes, have they been reviewed at least every 30 days?☐ No☐ Yes
4.0 PHYSICAL CONTROLS4.1 Power Equipment and Cabling{ACRONYM} is required to protect power equipment and power cabling. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.
The following protective measures have been implemented:
All power equipment is located on a physically secure military base. All power cabling is contained within a physically secure facility. Only authorized personnel can access the base and facility.
Are redundant power cabling paths installed?☐ No☐ Yes
If Yes, are they physically separated by at least one foot?☐ No☐ Yes
Does the system contain critical information system components?☒ No☐ Yes
If Yes, are automatic voltage control mechanisms are in place?☐ No☐ Yes
4.2 Emergency Shutoff{ACRONYM} is required to provide a capability to shut off the power to facilities or areas within facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms) in emergency situations. {ACRONYM} must install the emergency shutoff switches or devices near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off to facilitate safe and easy access for personnel. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.
FOR OFFICIAL USE ONLY 5
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Is an emergency shutoff switch or device installed?☐ No☐ Yes
If Yes, Is the switch/device near more than one egress point of the IT area?☐ No☐ Yes
If Yes, Is the switch/device labeled and protected by a cover?☐ No☐ Yes
4.3 Emergency Power{ACRONYM} is required to provide a capacity to implement uninterruptible power supply to {ACRONYM}. Uninterruptible power supply must have sufficient capacity to support orderly shutdown of {ACRONYM} or transition {ACRONYM} to long-term alternate power in the event of a primary power source loss. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.
Assets Power Requirements Power Supply Contingency PlanAll assets 1 hour of alternate power Generator/UPS Yes
Table 8 – Emergency Power
Is a long-term alternate power supply self-contained?☐ No☐ Yes
If Yes, Is the alternate power supply reliant on external power generation?☐ No☐ Yes
If No, Is the alternate power supply capable of maintaining minimally required operational capability or full operational capability in the event of an extended loss of the primary power source?
☐ No☐ Yes
4.4 Emergency Lighting{ACRONYM} is required to comply with established OSHA requirements by employing and maintaining emergency lighting for {ACRONYM}. Emergency lighting activates in the event of a power outage or disruption, and it covers emergency exits and evacuation routes within the facility. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.
Does {ACRONYM} support essential mission and/or business functions?☒ No☐ Yes
If yes, Is emergency lighting present?☐ No☐ Yes
If yes, does it cover emergency exits and evacuation routes within the facility?
FOR OFFICIAL USE ONLY 6
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
☐ No☐ Yes
5.0 ENVIRONMENTAL CONTROLS5.1 Fire Protection{ACRONYM} is required to implement fire detection and suppression. Fire detection devices/systems for {ACRONYM} must activate automatically. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.
Are fire detection and suppression devices/systems available?☐ No☐ Yes
If Yes, are they supported by an independent energy source?☐ No☐ Yes
If Yes, do they activate automatically?☐ No☐ Yes
If Yes, do they activate automatically when the facility is not staffed?☐ No☐ Yes
If Yes, do they automatically activate to notify personnel or roles defined below in the event of a fire?
☐ No☐ Yes
Personnel/Role Automatic Notification NotesBase Fire Department Yes
Table 9 – Fire Protection Roles
Are fire protection systems inspected and documented at least annually?☐ No☐ Yes
If Yes, are all deficiencies identified resolved within 60 days?☐ No☐ Yes
5.2 Temperature and Humidity Controls{ACRONYM} is required to implement automatic temperature and humidity controls. Automatic temperature and humidity controls for {ACRONYM} must prevent fluctuations potentially harmful to {ACRONYM}. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.
Are automatic temperature and humidity controls available?
FOR OFFICIAL USE ONLY 7
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
☐ No☐ Yes
If Yes, do they provide an alarm or notification of changes potentially harmful to personnel or equipment?
☐ No☐ Yes
If Yes, are they are set within DoD specified guidelines? (64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications)
☐ No☐ Yes
Are temperature and humidity levels continuously monitored unless manufacturer specifications allow for a wide enough tolerance that control is not required?
☐ No☐ Yes
5.3 Water Damage Protection{ACRONYM} is required to implement master shutoff valves for water sources. Master shutoff valves for {ACRONYM} must be installed and accessible. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility.
Are master shutoff valves installed?☐ No☐ Yes
If Yes, is inspection documentation (e.g., inspection form, tag attached to valve) available?☐ No☐ Yes
The following list of key personnel have knowledge of location and activation procedures for master shutoff valves and any other relevant documents or records:
Personnel / Role Master Shutoff Valve Location NotesPublic Works {REQUIRED}
Table 10 – Water Damage Control Roles
Are water detection mechanisms installed?☐ No☐ Yes
If Yes, do they provide automated alerts upon water detection?☐ No☐ Yes
FOR OFFICIAL USE ONLY 8
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
The following list identifies automated mechanisms to detect the presence of water in the vicinity of the information system and personnel or roles that are alerted:
Automated Mechanisms Personnel / Role NotesPublic Works
Table 11 – Water Presence Detection
6.0 DELIVERY AND REMOVALDelivery and removal of {ACRONYM} components must be documented to ensure the actions were authorized. The following process/documentation exists to ensure a detailed and accurate record of all {ACRONYM} components that enter and exit the facility exists:
Action Process / Documentation NotesEntrance into Facility Base Receiving All components must be delivered
to the Base Receiving office prior to distribution to the system. Base Receiving applies a unique tracking number to the component for inventory purposes.
Exit from Facility Disposal Process All components follow the {COMMAND} Disposal Policy or Surplus process for components that exit the facility.
Table 12 – Delivery and Removal Procedures
This plan documents all system components entering and exiting the facility and visually inspects the controls (e.g., logs, scans, etc.) to ensure implementation. Logs are contained in Enclosure 3.
7.0 ALTERNATE WORK SITE{ACRONYM} is required to implement physical security controls for alternate worksites. {ACRONYM} must define security controls to employ at alternate work sites, which must include all applicable building and safety codes for the {ACRONYM} environment. {ACRONYM} is required to fulfill this requirement as {ACRONYM} is strictly a tenant of the facility. This requirement does not apply to Telework activities.
Are alternate worksites authorized?☐ No☐ Yes
If Yes, are all security controls identified and all applicable to all building and safety codes?☐ No☐ Yes
The following list designates alternate worksite locations and requirement status:
Alternate Worksite Security Controls Contact Assessment Date Notes
FOR OFFICIAL USE ONLY 9
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Location InformationPE-2 thru PE-16, PE18 thru PE-20
Table 13 – Alternate Worksite Controls
8.0 LOCATION OF INFORMATION SYSTEM COMPONENTS8.1 System PositionIt is {ACRONYM} policy to position all system components in the following manner:
Deter viewing from unauthorized personnel Do not locate near water hazards Ensure proper HVAC temperature
Is {ACRONYM} positioned according to the environmental policy?☐ No☐ Yes
8.2 System Hazards{ACRONYM} planned the location of the facility where {ACRONYM} resides with regard to physical and environmental hazards. {ACRONYM} has determined that the following environmental and physical hazards are applicable:
Hazard Risk Level Risk Mitigation NotesENVIRONMENTAL HAZARDS
Dirt/Dust Low N/A Facility is cleaned weeklyWater/Fluids Low N/A Assets not located near
water/fluidHeat Low N/A Temperature controls in
placeCold Low N/A Temperature controls in
placeFlooding/Hurricane Low N/A Facility built to codeSnowfall Low N/A Facility built to codeFire Low N/A Fire alarm and
suppression systems are in place
PHYSICAL HAZARDSUnlocked doors Low N/A All doors are lockedExposed wiring Low N/A All wiring is to codeFacility structurally unsound
Low N/A Facility built to code
Spills Low N/A Spills immediately cleanedTable 14 – System Hazards
9.0 INFORMATION LEAKAGETEMPEST is a National Security Agency specification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST applies to Classified systems.
FOR OFFICIAL USE ONLY 10
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Is {ACRONYM} considered Classified?☐ No☐ Yes
If Yes, have measures to protect against compromising emanations been implemented according to DOD Directive S-5200.19?
☐ No☐ Yes
If Yes, has an examination of the TEMPEST countermeasures been reviewed and inspected to ensure those countermeasures have been implemented?
☐ No☐ Yes
10.0 ASSET MONITORING AND TRACKINGAsset monitoring and tracking ensures {ACRONYM} components are accounted for. {ACRONYM} tracks and monitor the location and movement of all components within controlled areas utilizing the following technologies:
Asset Controlled Area Technology Used Applicable Laws, Directives, Regulations, Policies?
All Assets Defined in SSP Documentation – Hardware List NoneAll Assets Defined in SSP ACAS – verify hardware list against
scansNone
All Assets Defined in SSP {LOCAL TECHNOLOGY} NoneTable 15 – Asset Monitoring and Tracking
FOR OFFICIAL USE ONLY 11
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
APPENDIX A – DETAILED COMPLIANCE MATRIX
FOR OFFICIAL USE ONLY 12
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
The following table provides traceability between this document and the Assessment Procedures contained within NIST Special Publication 800-53A Revision 4, "Assessing Security and Privacy Controls in Federal Information Systems and Organizations".
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-1 PE-1 (a) CCI-002908 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the roles as organizational personnel with physical and environmental protection responsibilities.
Automatically compliant with this CCI because they are covered at the DoD level
PE-1 PE-1 (a) CCI-002909 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the roles as organizational personnel with physical and environmental protection responsibilities.
Automatically compliant with this CCI because they are covered at the DoD level
PE-1 PE-1 (a) (1) CCI-000904 HighModerateLow
HighModerateLow
HighModerateLow
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.
Automatically compliant with this CCI because they are covered at the DoD level
FOR OFFICIAL USE ONLY 13
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-1 PE-1 (a) (1) CCI-000905 HighModerateLow
HighModerateLow
HighModerateLow
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 5200.08 and DoD 5200.08-R
DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities.
Automatically compliant with this CCI because they are covered at the DoD level
PE-1 PE-1 (a) (2) CCI-000908 HighModerateLow
HighModerateLow
HighModerateLow
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R.
Automatically compliant with this CCI because they are covered at the DoD level
PE-1 PE-1 (a) (2) CCI-000909 HighModerateLow
HighModerateLow
HighModerateLow
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 5200.08 and DoD 5200.08-R
DoD has defined the personnel or roles as organizational personnel with physical and environmental protection responsibilities.
Automatically compliant with this CCI because they are covered at the DoD level
PE-1 PE-1 (b) (1) CCI-000907 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency reviewed annually - updated as appropriate but at least within 10 years of date of issuance.
Automatically compliant with this CCI because they are covered at the DoD level
PE-1 PE-1 (b) (1) CCI-000906 HighModerateLow
HighModerateLow
HighModerateLow
DoDI 5200.08 and DoD 5200.08-R meet the requirement for Physical and Environmental Policy and procedures.
Automatically compliant with this CCI because they are covered at the DoD level
FOR OFFICIAL USE ONLY 14
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. DoD has defined the frequency reviewed annually - updated as appropriate but at least within 10 years of date of issuance.
PE-1 PE-1 (b) (2) CCI-000911 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency reviewed annually - updated as appropriate.
Automatically compliant with this CCI because they are covered at the DoD level
PE-1 PE-1 (b) (2) CCI-000910 HighModerateLow
HighModerateLow
HighModerateLow
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policies, DoDI 5200.08 and DoD 5200.08-R. DoD has defined the frequency reviewed annually - updated as appropriate.
Automatically compliant with this CCI because they are covered at the DoD level
FOR OFFICIAL USE ONLY 15
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-10 PE-10 (a) CCI-000956 HighModerate
The organization conducting the inspection/assessment obtains and examines documentation of the capability to shut off the power to facilities or areas within facilities containing concentrations of information system resources (e.g., datacenters, server rooms, mainframe computer rooms) in emergency situations. The purpose is to validate the organization has provided the capability of shutting off power in emergency situations.
Section 4.2
PE-10 PE-10 (b) CCI-000957 HighModerate
The organization conducting the inspection/assessment will physically inspect emergency shutoff switches or devices for placement to validate the organization has installed the emergency shutoff switches or devices near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off to facilitate safe and easy access for personnel. DoD has defined the location as near more than one egress point of the IT area and ensure it is labeled and protected by a cover to prevent accidental shut-off.
Section 4.2
FOR OFFICIAL USE ONLY 16
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-10 PE-10 (b) CCI-000958 HighModerate
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off.
Automatically compliant with this CCI because they are covered at the DoD level
PE-10 PE-10 (c) CCI-000959 HighModerate
The organization conducting the inspection/assessment will ensure that the inspected organization has protected emergency power shutoff capability. DoD has defined the location as near more than one egress point of the IT area and ensures it is labeled and protected by a cover to prevent accidental shut-off.
Section 4.2
PE-11 PE-11 CCI-002955 HighModerate
The organization conducting the inspection/assessment obtains and examines documentation identifying the capacity of the implemented uninterruptible power supply, documentation identifying the power requirements of the system, and documentation identifying the contingency plan in the event of primary power source loss to ensure the organization being inspected/assessed provides uninterruptible power supply with sufficient capacity to support orderly shutdown of the system or transition the system to long-term alternate power in the event of a primary power source
Section 4.3
FOR OFFICIAL USE ONLY 17
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
loss.PE-11 (1) PE-11 (1) CCI-000961 High The organization
conducting the inspection/assessment obtains and examines the list of physical IT assets within the boundary of the information system that require a long term alternate power supply. Physically inspect a sample from the list to ensure that long term power supply capability supporting minimal operational capability has been provided.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-11 (2) PE-11 (2) (a) CCI-002956 blank blank blank The organization conducting the inspection/assessment obtains and examines documentation identifying the implemented alternate power supply to ensure the organization being inspected/assessed implements a long-term alternate power supply for the information system that is self-contained.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-11 (2) PE-11 (2) (b) CCI-002957 blank blank blank The organization conducting the inspection/assessment obtains and examines documentation identifying the implemented alternate power supply to ensure the organization being inspected/assessed implements a long-term alternate power supply for the information system that is not reliant on external power generation.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 18
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-11 (2) PE-11 (2) (c ) CCI-002958 blank blank blank The organization conducting the inspection/assessment obtains and examines documentation identifying the implemented alternate power supply to ensure the organization being inspected/assessed implements a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability or full operational capability in the event of an extended loss of the primary power source.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-12 PE-12 CCI-000963 HighModerateLow
The organization conducting the inspection/assessment conducts visual inspections and interviews physical security personnel to validate the organization is in compliance with established OSHA requirements by employing and maintaining emergency lighting for the information system, the emergency lighting activates in the event of a power outage or disruption, and it covers emergency exits and evacuation routes within the facility
Section 4.4
PE-12 (1) PE-12 (1) CCI-002959 blank blank blank The organization conducting the inspection/assessment inspects areas within the facility supporting essential missions to ensure emergency lighting is implemented.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 19
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-12 (1) PE-12 (1) CCI-002960 blank blank blank The organization conducting the inspection/assessment inspects areas within the facility supporting essential business functions to ensure emergency lighting is implemented.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-13 PE-13 CCI-000965 HighModerateLow
The organization conducting the inspection/assessment will conduct visual observation and interview organizational personnel with responsibilities for fire detection and suppression devices/systems. The purpose of the reviews and interviews is to validate the fire suppression and detection devices/systems for the information system are supported by an independent energy source.
Section 5.1
PE-13 (1) PE-13 (1) CCI-002961 High The organization conducting the inspection/assessment obtains and examines the documented evidence of fire detection devices/systems to ensure the organization being inspected/assessed employs fire detection devices/systems for the information system that activate automatically.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 20
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-13 (1) PE-13 (1) CCI-002962 High The organization conducting the inspection/assessment obtains and examines the documented evidence of fire detection devices/systems to ensure the organization being inspected/assessed employs fire detection devices/systems for the information system that automatically activate to notify personnel or roles defined in PE-13 (1), CCI 2963 and emergency responders defined in PE-13 (1), CCI 2964 in the event of a fire.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-13 (1) PE-13 (1) CCI-002963 High The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be notified in the event of a fire. DoD has determined the personnel or roles are not appropriate to define at the Enterprise level.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-13 (1) PE-13 (1) CCI-002964 High The organization conducting the inspection/assessment obtains and examines the documented emergency responders to ensure the organization being inspected/assessed defines the emergency responders to be notified in the event of a fire. DoD has determined
The system is not considered a HIGH level. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 21
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
the emergency responders are not appropriate to define at the Enterprise level.
PE-13 (2) PE-13 (2) CCI-002965 High The organization conducting the inspection/assessment obtains and examines the documented evidence of fire detection devices/systems to ensure the organization being inspected/assessed employs fire suppression devices/systems for the information system that provide automatic notification of any activation to organization-defined personnel or roles and organization defined emergency responders.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-13 (2) PE-13 (2) CCI-002966 High The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be automatically notified of any activation of fire suppression devices/systems for the information system. DoD has determined the personnel or roles are not appropriate to define at the Enterprise level.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 22
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-13 (2) PE-13 (2) CCI-002967 High The organization conducting the inspection/assessment obtains and examines the documented emergency responders to ensure the organization being inspected/assessed defines the emergency responders to be automatically notified of any activation of fire suppression devices/systems for the information system. DoD has determined the emergency responders are not appropriate to define at the Enterprise level.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-13 (3) PE-13 (3) CCI-000968 HighModerate
The organization conducting the inspection/assessment conducts visual inspections and interviews physical security/safety personnel to validate the organization has installed and implemented an automatic fire suppression capability which is operational during those times the facility is not staffed.
Section 5.1
PE-13 (4) PE-13 (4) CCI-002968 High The organization conducting the inspection/assessment obtains and examines the record of inspections to ensure the organization being inspected/assessed implements a process to undergo fire protection inspections by authorized and qualified inspectors annually. DoD has defined the frequency as annually.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 23
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-13 (4) PE-13 (4) CCI-002970 High The organization conducting the inspection/assessment obtains and examines past facility fire protection inspection reports and inspects the facility to ensure all deficiencies identified are resolved in 60 days. DoD has defined the time period as 60 days.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-13 (4) PE-13 (4) CCI-002969 High The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually.
Automatically compliant with this CCI because they are covered at the DoD level
PE-13 (4) PE-13 (4) CCI-002971 High The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as 60 days.
Automatically compliant with this CCI because they are covered at the DoD level
PE-14 (1) PE-14 (1) CCI-000975 blank blank blank The organization conducting the inspection/assessment conducts visual inspections and interviews personnel responsible for maintaining automatic temperature and humidity controls to validate the organization is employing automatic temperature and humidity controls for the information system to prevent fluctuations potentially harmful to the information system.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 24
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-14 (2) PE-14 (2) CCI-000976 blank blank blank The organization conducting the inspection/assessment conducts visual inspections and interviews personnel responsible for maintaining automatic temperature and humidity controls to validate the inspected organization is employing automatic temperature and humidity controls that provide an alarm or notification of changes potentially harmful to personnel or equipment.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 25
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-14 PE-14 (a) CCI-000971 HighModerateLow
The organization conducting the inspection/assessment reviews temperature and humidity controls to validate that they are set within DoD specified guidelines. DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications.
Section 5.2
FOR OFFICIAL USE ONLY 26
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-14 PE-14 (a) CCI-000972 HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the acceptable levels as for commercial grade information systems: 64.4 – 80.6 degrees F; 45% – 60% Relative Humidity; Dew Point 41.9 ° – 59°F; measured at the air intake inlet of the IT equipment casing; for other systems, levels within manufacturer specifications.
Automatically compliant with this CCI because they are covered at the DoD level
PE-14 PE-14 (b) CCI-000973 HighModerateLow
The organization conducting the inspection/assessment will visually observe the inspected organization's independent monitoring device, obtain and examine audit logs, and interview physical security/safety personnel to validate the inspected organization monitors temperature and humidity levels continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required. DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough
Section 5.2
FOR OFFICIAL USE ONLY 27
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
tolerance that control is not required.
PE-14 PE-14 (b) CCI-000974 HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as continuously unless manufacturer specifications allow for a wide enough tolerance that control is not required.
Automatically compliant with this CCI because they are covered at the DoD level
PE-15 PE-15 CCI-000977 HighModerateLow
The organization conducting the inspection/assessment will inspect the master shutoff valves to ensure they are installed and accessible.
Section 5.3
PE-15 PE-15 CCI-000978 HighModerateLow
The organization conducting the inspection/assessment will visually inspect master shutoff valve inspection documentation (e.g., inspection form, tag attached to valve).
Section 5.3
PE-15 PE-15 CCI-000979 HighModerateLow
The organization conducting the inspection/assessment obtains and examines list of key personnel with knowledge of location and activation procedures for master shutoff valves and any other relevant documents or records. Interview key personnel from the list to determine if identified key personnel within the organization have knowledge of the master shutoff valves.
Section 5.3
PE-15 (1) PE-15 (1) CCI-002972 High The organization conducting the inspection/assessment obtains and examines documentation identifying water detection mechanisms to ensure the organization being
The system is not considered a HIGH level. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 28
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
inspected/assessed implements automated mechanisms to detect the presence of water in the vicinity of the information system and alerts personnel or roles defined in PE-15 (1), CCI 2973.
PE-15 (1) PE-15 (1) CCI-002973 High The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to be alerted when automated mechanisms detect the presence of water in the vicinity of the information system. DoD has determined the personnel or roles are not appropriate to define at the Enterprise level.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-16 PE-16 CCI-000981 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines records authorizing all system components entering and exiting the facility. DoD has defined the types of information system components as all system components.
Section 6.0
PE-16 PE-16 CCI-000982 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines records monitoring all system components entering and exiting the facility. DoD has defined the types of information system components as all system components.
Section 6.0
FOR OFFICIAL USE ONLY 29
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-16 PE-16 CCI-000983 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the physical and environmental protection plan to determine if controls have been documented for all system components entering and exiting the facility and visually inspects the controls (e.g., logs, scans, etc.) to ensure implementation. DoD has defined the types of information system components as all system components.
Section 6.0
PE-16 PE-16 CCI-000984 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines records of physical entry and exit events to the facility. The purpose of the reviews is to ensure the organization is maintaining detailed and accurate records of information system components that enter and exit the facility. If the organization is following GRS 18, Section 12 they are automatically compliant.
Section 6.0
PE-16 PE-16 CCI-002974 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the types of information system components as all system components.
Automatically compliant with this CCI because they are covered at the DoD level
PE-17 PE-17 (a) CCI-000985 HighModerate
HighModerate
HighModerate
The organization conducting the inspection/assessment obtains and examines the alternate work site
Section 7.0
FOR OFFICIAL USE ONLY 30
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
policy of the organization being inspected/assessed to ensure the organization implements security controls defined in PE-17, CCI 2975 at alternate work sites.
PE-17 PE-17 (a) CCI-002975 HighModerate
HighModerate
HighModerate
The organization conducting the inspection/assessment obtains and examines the documented security controls to ensure the organization being inspected/assessed defines security controls to employ at alternate work sites, which must include all applicable building and safety codes for the information system's environment. DoD has determined the security controls are not appropriate to define at the Enterprise level, but must include all applicable building and safety codes for the information system's environment.
Section 7.0
PE-17 PE-17 (b) CCI-000987 HighModerate
HighModerate
HighModerate
The organization conducting the inspection/assessment obtains and examines:1. The procedures for assessing the effectiveness of alternate work site security controls.2. The audit records of assessments they have conducted of security controls effectiveness for alternate work sites.
Section 7.0
PE-17 PE-17 (c) CCI-000988 HighModerate
HighModerate
HighModerate
The organization conducting the inspection/assessment obtains and examines contact information for appropriate security personnel to ensure its accuracy and dissemination.
Section 7.0
FOR OFFICIAL USE ONLY 31
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-18 PE-18 CCI-000989 High The organization conducting the inspection/assessment reviews the physical and environmental protection policy developed in PE-1, CCI 000904 to validate that the systems have been positioned according to the environmental policy.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-18 PE-18 CCI-000991 High The organization conducting the inspection/assessment reviews the physical and environmental protection policy developed in PE-1, CCI 000904 to validate that the systems have been positioned according to the environmental policy.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-18 PE-18 CCI-002976 High The organization conducting the inspection/assessment obtains and examines the documented physical and environmental hazards to ensure the organization being inspected/assessed defines physical and environmental hazards that could cause potential damage to information system components within the facility. DoD has determined the physical and environmental hazards are not appropriate to define at the Enterprise level.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-18 (1) PE-18 (1) CCI-002977 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented rationale to ensure the organization being inspected/assessed plans the location or site of the facility where the information system resides with regard to physical and environmental hazards.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 32
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-18 (1) PE-18 (1) CCI-002978 blank blank blank The organization conducting the inspection/assessment obtains and examines the physical and environmental risk assessment to ensure the organization being inspected/assessed considers the physical and environmental hazards in its risk mitigation strategy for existing facilities.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-19 PE-19 CCI-000993 blank blank blank The organization conducting the inspection/assessment obtains and examines the TEMPEST countermeasures review and inspects the information system to ensure those countermeasures have been implemented.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-19 (1) PE-19 (1) CCI-000994 blank blank blank The organization conducting the inspection/assessment obtains and examines the TEMPEST countermeasures review and inspects the information system to ensure those countermeasures have been implemented.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-2 (1) PE-2 (1) CCI-000916 blank blank blank The organization conducting the inspection/assessment obtains and examines:1. The list of roles or positions that have access to the facility where the information system resides.2. The list of personnel assigned to those rolesRecommended:3. Access logs to verify access to the facility was authorized based on the appropriate roles and positions
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-2 (2) PE-2 (2) CCI-000917 blank blank blank The organization conducting the inspection/assessment obtains and examines the inspected organization's physical security policy for requirements and implementation
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 33
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
guidance to have two forms of identification defined in PE-2 (2), CCI 2912 and physical access control logs or records; and any other relevant documents or records to validate compliance.
PE-2 (2) PE-2 (2) CCI-002912 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented a list of acceptable forms of identification to ensure the organization being inspected/assessed defines a list of acceptable forms of identification for visitor access to the facility where the information system resides. DoD has determined the list of acceptable forms of identification are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-2 (3) PE-2 (3) CCI-002913 blank blank blank The organization conducting the inspection/assessment obtains and examines the physical security policy to ensure the organization being inspected/assessed has selected one or more of the physical security requirements that must be met before unescorted access to the facility where the information system resides is granted
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 34
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-2 (3) PE-2 (3) CCI-002914 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented credentials to ensure the organization being inspected/assessed defines the credentials required for personnel to have unescorted access to the facility where the information system resides. DoD has determined the credentials are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-2 PE-2 (a) CCI-000912 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the list of personnel with authorized access to facilities where information systems reside to ensure it is current within every 90 days. The review process should also determine if the organization has identified and officially designated its publicly accessible areas where access authorization is not required. DoD has defined the frequency as every 90 days.
Enclosure 1
PE-2 PE-2 (a) CCI-002910 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the list of individuals currently authorized to access the facility where the information system resides and ensures it is formally approved.
Enclosure 1
PE-2 PE-2 (a) CCI-002911 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the list of individuals to ensure the organization being
Enclosure 1
FOR OFFICIAL USE ONLY 35
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
inspected/assessed maintains a list of individuals currently authorized to access the facility where the information system resides.
PE-2 PE-2 (b) CCI-000913 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines documentation of credential issuing activities to ensure credentials are issued to personnel with authorized access.
Section 2.1
PE-2 PE-2 (c) CCI-000914 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the audit records of the review actions to ensure that reviews are conducted every 90 days. DoD has defined the frequency as every 90 days.
Enclosure 1
PE-2 PE-2 (c) CCI-001635 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the review and approval actions documentation to ensure that personnel no longer requiring access have been removed from the authorized access list and their credentials have been revoked.
Section 2.1
PE-2 PE-2 (c) CCI-000915 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as every 90 days.
Automatically compliant with this CCI because they are covered at the DoD level
FOR OFFICIAL USE ONLY 36
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-20 PE-20 (a) CCI-002979 blank blank blank The organization conducting the inspection/assessment obtains and examines documentation reflecting asset location technologies in use to ensure the organization being inspected/assessed implements asset location technologies defined in PE-20, CCI 2980 to track and monitor the location and movement of assets defined in PE-20, CCI 2981 within controlled areas defined in PE-20, CCI 2982.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-20 PE-20 (a) CCI-002980 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented asset location technologies to ensure the organization being inspected/assessed defines asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas. DoD has determined the asset location technologies are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 37
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-20 PE-20 (a) CCI-002981 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented assets to ensure the organization being inspected/assessed defines the assets within the organization-defined controlled areas which are to be tracked and monitored for their location and movement. DoD has determined the assets are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-20 PE-20 (a) CCI-002982 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented controlled areas to ensure the organization being inspected/assessed defines controlled areas that the location and movement of organization-defined assets are tracked and monitored. DoD has determined the controlled areas are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 38
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-20 PE-20 (b) CCI-002983 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented list of any federal laws, Executive Orders, directives, regulations, policies, standards, and guidance applicable to the asset location technologies in use, as well as the documentation of asset tracking technologies per PE-20, CCI 2980, to ensure that the organization being inspected/assessed identifies any requirements (particularly privacy requirements) applicable to the asset tracking methodologies in use, and to ensure that the organization implements a process to meet those identified requirements.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 39
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-3 (1) PE-3 (1) CCI-000928 HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented list of additional physical access authorizations for the facility/facilities at physical spaces containing one or more components of the information system. The objective of the examination is to determine if the organization is enforcing additional physical access authorizations to areas of the facility at physical spaces containing one or more components of the information system defined in PE-3 (1), CCI 2926. These controls are independent of the physical access controls established for the facility.
Section 2.2
FOR OFFICIAL USE ONLY 40
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-3 (1) PE-3 (1) CCI-002926 HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented physical spaces to ensure the organization being inspected/assessed defines the physical spaces containing one or more components of the information system that require physical access authorizations and controls at the facility. DoD has determined the physical spaces are not appropriate to define at the Enterprise level.
Section 2.2
PE-3 (2) PE-3 (2) CCI-000929 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented procedures as well as the audit trail of security checks at the physical boundaru to ensure the organization being inspected/assessed performs security checks at the physical boundary of the facility or information system at a minimum, annually. DoD has defined the frequency as at a minimum, annually.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-3 (2) PE-3 (2) CCI-002927 blank blank blank The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as at a minimum, annually.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-3 (3) PE-3 (3) CCI-000930 blank blank blank The organization conducting the inspection/assessment obtains the list of guards or alarms for every physical access
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 41
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
point to the facility where the information system resides and visually verifies a sampling of access points to ensure the appropriate guard or alarm to monitor is in place 24 hours per day, 7 days per week.
PE-3 (4) PE-3 (4) CCI-000931 blank blank blank The organization conducting the inspection/assessment performs a sample inspection of the lockable physical casings. The objective of the reviews is to validate the organization is using lockable physical casings to protect organization-defined information system components from unauthorized physical access.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-3 (4) PE-3 (4) CCI-000932 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented information system components to ensure the organization being inspected/assessed defines information system components to be protected from unauthorized physical access using lockable physical casings. DoD has determined the information system components are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 42
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-3 (5) PE-3 (5) CCI-000933 blank blank blank The organization conducting the inspection/assessment inspects the information system to ensure the organization being inspected/assessed employs security safeguards defined in PE-3 (5), CCI 2928 to deter and or prevent physical tampering or alteration of hardware components defined in PE-3 (5), CCI 2929 within the information system.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-3 (5) PE-3 (5) CCI-002928 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines security safeguards to detect and prevent physical tampering or alteration of organization-defined hardware components within the information system. DoD has determined the security safeguards are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 43
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-3 (5) PE-3 (5) CCI-002929 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented hardware components to ensure the organization being inspected/assessed defines hardware components within the information system to employ organization-defined security safeguards to detect and prevent physical tampering or alteration. DoD has determined the hardware components are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-3 (6) PE-3 (6) CCI-000934 blank blank blank The organization conducting the inspection/assessment obtains and examines the inspected organization's physical security assessment plan and reviews documented results to ensure annual penetration testing of physical access points occurred. DoD has defined the frequency as annually.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-3 (6) PE-3 (6) CCI-000935 blank blank blank The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 44
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-3 PE-3 (a) CCI-000919 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment performs a physical inspection of facility entry/exit points defined in PE-3, CCI 2915 to ensure that either physical access authorization controls are in place for those access points considered normal access points or are properly secured. Physical access points that are not documented or are not secured would be a failure of this control.
Section 2.2.2
PE-3 PE-3 (a) CCI-002915 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented entry/exit points and inspects the facility to ensure that all entry/exit points are documented. DoD has determined the entry/exit points are not appropriate to define at the Enterprise level.
Section 2.2.2
PE-3 PE-3 (a) (1) CCI-000920 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the access authorization list of personnel that have access to the facility (per access list implemented through PE-2, CCI 000912) where the information system resides. Inspect selected facilities to confirm the inspected organization is granting access at all physical access points to only authorized personnel.
Enclosure 1
PE-3 PE-3 (a) (2) CCI-002916 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented physical access control systems/devices to
Section 2.2Section 2.2.5
FOR OFFICIAL USE ONLY 45
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
ensure the organization being inspected/assessed defines the physical access control systems/devices or guards that control ingress/egress to the facility. DoD has determined the physical access control systems/devices are not appropriate to define at the Enterprise level.
PE-3 PE-3 (a) (2) CCI-000921 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the list of physical access control devices and/or guards in use defined in PE-3, CCI 2916 and conducts random inspections of entry points. The purpose is to determine whether the organization is using those physical access devices and/or guards to control entry of personnel into the facility hosting the information system.
Section 2.2Section 2.2.5
FOR OFFICIAL USE ONLY 46
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-3 PE-3 (b) CCI-002917 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains andexamines the physical access audit logs and compares the logged entry withknown access to those entry points to ensure the organization beinginspected/assessed maintains physical access audit logs for entry/exitpoints defined in PE-3, CCI 2918. Instances of access that will be compared with the audit logs include, at a minimum, access as part of the inspection/assessment. Comparison of otherentry/exit events required elsewhere in system documentation that would have occurred before the inspection/assessment such as daily checks and scheduledmaintenance are strongly encouraged and help to establish a history of compliance/non-compliance.
Base Badge SystemEnclosure 2
PE-3 PE-3 (b) CCI-002918 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented entry/exit points to ensure the organization being inspected/assessed defines entry/exit points that require physical access audit logs be maintained. DoD has determined the entry/exit points are not appropriate to define at the Enterprise level.
Section 2.2.2
PE-3 PE-3 (c ) CCI-002920 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented
Section 2.2.3
FOR OFFICIAL USE ONLY 47
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
security safeguards to ensure the organization being inspected/assessed defines security safeguards to control access to areas within the facility officially designated as publicly accessible. DoD has determined the security safeguards are not appropriate to define at the Enterprise level.
PE-3 PE-3 (c ) CCI-002919 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documentation of areas officially designated as publicly accessible to ensure the organization being inspected/assessed provides security safeguards defined in PE-3, CCI 2920 to control access to areas within the facility officially designated as publicly accessible.
Section 2.2.3
PE-3 PE-3 (d) CCI-002922 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented circumstances to ensure the organization being inspected/assessed defines circumstances requiring visitor escorts. DoD has determined the circumstances are not appropriate to define at the Enterprise level.
Section 2.2.4
PE-3 PE-3 (d) CCI-002921 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed escorts visitors during circumstances defined in PE-3, CCI 2922 requiring visitor
Section 2.2.4
FOR OFFICIAL USE ONLY 48
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
escorts.PE-3 PE-3 (d) CCI-002924 High
ModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented circumstances to ensure the organization being inspected/assessed defines circumstances requiring visitor monitoring. DoD has determined the circumstances are not appropriate to define at the Enterprise level.
Section 2.2.4
PE-3 PE-3 (d) CCI-002923 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed monitors visitor activity during circumstances defined in PE-3, CCI 2924 requiring visitor monitoring.
Section 2.2.4
PE-3 PE-3 (e) CCI-000923 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment conducts physical inspections and interviews physical security/safety personnel to validate the organization has taken the proper precautions, and established the proper procedures to ensure it has adequately secured its keys, combinations, and other physical devices.
Section 2.2.5
FOR OFFICIAL USE ONLY 49
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-3 PE-3 (f) CCI-000924 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the records of inventory of minimally keys or any other physical token used to gain access to ensure the inventory is being conducted annually. DoD has defined the frequency as annually. DoD has defined the physical access devices as minimally keys or any other physical token used to gain access.
Section 2.2.5
PE-3 PE-3 (f) CCI-002925 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the physical access devices as minimally keys or any other physical token used to gain access.
Automatically compliant with this CCI because they are covered at the DoD level
PE-3 PE-3 (f) CCI-000925 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as annually.
Automatically compliant with this CCI because they are covered at the DoD level
FOR OFFICIAL USE ONLY 50
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-3 PE-3 (g) CCI-000926 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines documentation of these change actions to validate the organization is changing its keys and combinations upon occurrence of security relevant events and when keys are lost, combinations are compromised, or individuals are transferred or terminated. DoD has defined the frequency as required by security relevant events.
Section 2.2.5
PE-3 PE-3 (g) CCI-000927 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as required by security relevant event.
Automatically compliant with this CCI because they are covered at the DoD level
PE-4 PE-4 CCI-000936 HighModerate
HighModerate
The organization conducting the inspection/assessment inspects the information system distribution and transmission lines defined in PE-4, CCI 2930 to ensure the security safeguards defined in PE-4, CCI 2931 are in place.
Section 2.3
FOR OFFICIAL USE ONLY 51
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-4 PE-4 CCI-002930 HighModerate
HighModerate
The organization conducting the inspection/assessment obtains and examines the documented information system distribution and transmission lines to ensure the organization being inspected/assessed defines information system distribution and transmission lines within organizational facilities to control physical access using organization-defined security safeguards. DoD has determined the information system distribution and transmission lines are not appropriate to define at the Enterprise level.
Section 2.3
PE-4 PE-4 CCI-002931 HighModerate
HighModerate
The organization conducting the inspection/assessment obtains and examines the documented security safeguards to ensure the organization being inspected/assessed defines security safeguards to control physical access to organization-defined information system distribution and transmission lines within organizational facilities. DoD has determined the security safeguards are not appropriate to define at the
Section 2.3
FOR OFFICIAL USE ONLY 52
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
Enterprise level.PE-5 PE-5 CCI-000937 High
Moderate The organization
conducting the inspection/assessment obtains and examines the list of additional access controls for output devices. Physical inspection is required to ensure these access controls are properly implemented.
Section 2.4
PE-5 (1) PE-5 (1) (a) CCI-002932 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented process and inspects the physical access controls surrounding a sampling of output devices to ensure the organization being inspected/assessed controls physical access to output from output devices defined in PE-5 (1), CCI 2933.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-5 (1) PE-5 (1) (a) CCI-002933 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented output devices to ensure the organization being inspected/assessed defines output devices for which physical access to output is controlled. DoD has determined the output devices are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 53
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-5 (1) PE-5 (1) (b) CCI-002934 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented process and inspects the physical access controls surrounding a sampling of output devices to ensure the organization being inspected/assessed ensures that only authorized individuals receive output from the output device defined in PE-5 (1), CCI 2933.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 54
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-5 (2) PE-5 (2) (a) CCI-002935 blank blank blank The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to control physical access to output from output devices defined in PE-5 (1), CCI 2933. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2935.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 55
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-5 (2) PE-5 (2) (b) CCI-002936 blank blank blank The organization conducting the inspection/assessment examines the information system to ensure the organization being inspected/assessed configures the information system to link individual identity to receipt of the output from the output device defined in PE-5 (1), CCI 2933. For information system components that have applicable STIGs or SRGs, the organization conducting the inspection/assessment evaluates the components to ensure that the organization being inspected/assessed has configured the information system in compliance with the applicable STIGs and SRGs pertaining to CCI 2936.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 56
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-5 (3) PE-5 (3) CCI-002937 blank blank blank The organization conducting the inspection/assessment inspects a sampling of information system components to ensure the organization being inspected/assessed marks all devices if the organizational facility contains classified information indicating the appropriate security marking of the information permitted to be output from the device. DoD has defined the information system output devices as all devices if the organizational facility contains classified information.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-5 (3) PE-5 (3) CCI-002938 blank blank blank The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the information system output devices as all devices if the organizational facility contains classified information.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-6 (1) PE-6 (1) CCI-000942 HighModerate
HighModerate
HighModerate
The organization conducting the inspection/assessment will observe and interview security personnel conducting monitoring activities to validate the organization is actively monitoring all physical intrusion alarms and surveillance equipment.
Section 2.5
FOR OFFICIAL USE ONLY 57
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-6 (2) PE-6 (2) CCI-002942 blank blank blank The organization conducting the inspection/assessment obtains and examines hardware/software lists and/or any other documentation showing the use of automated intrusion detection systems to ensure the organization being inspected/assessed implements automated mechanisms to recognize classes/types of intrusions defined in PE-6 (2), CCI 2943.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-6 (2) PE-6 (2) CCI-002943 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented classes/types of intrusion to ensure the organization being inspected/assessed defines classes/types of intrusions to recognize using automated mechanisms. DoD has determined the classes/types of intrusions are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-6 (2) PE-6 (2) CCI-002944 blank blank blank The organization conducting the inspection/assessment obtains and examines hardware/software lists and/or any other documentation showing the use of automated intrusion detection systems to ensure the organization being inspected/assessed implements automated mechanisms to initiate response actions defined in PE-6 (2), CCI 2945 to classes/types of intrusions defined in PE-6 (2), CCI 2943.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 58
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-6 (2) PE-6 (2) CCI-002945 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented response actions to ensure the organization being inspected/assessed defines response actions to initiate when organization-defined classes/types of intrusions are recognized. DoD has determined the response actions are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-6 (3) PE-6 (3) CCI-002946 blank blank blank The organization conducting the inspection/assessment obtains and examines the documentation of video surveillance a sampling of recorded video surveillance to ensure the organization being inspected/assessed employs video surveillance of operational areas defined in PE-6 (3), CCI 2947.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-6 (3) PE-6 (3) CCI-002947 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented operational areas to ensure the organization being inspected/assessed defines the operational areas to employ video surveillance. DoD has determined the operational areas are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 59
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-6 (3) PE-6 (3) CCI-002948 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented process and a sampling of recordings from within 90 days to ensure the organization being inspected/assessed retains video surveillance recordings for at a minimum 90 days. DoD has defined the time period as at a minimum 90 days.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-6 (3) PE-6 (3) CCI-002949 blank blank blank The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as at a minimum 90 days.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-6 (4) PE-6 (4) CCI-002950 High High High The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of monitoring to ensure the organization being inspected/assessed monitors physical access to the information system in addition to the physical access monitoring of the facility as physical spaces containing one or more components of the information system defined in PE-6 (4), CCI 2951.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 60
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-6 (4) PE-6 (4) CCI-002951 High High High The organization conducting the inspection/assessment obtains and examines the documented physical spaces to ensure the organization being inspected/assessed defines physical spaces containing one or more components of the information system in which physical access is monitored. DoD has determined the physical spaces are not appropriate to define at the Enterprise level.
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-6 PE-6 (a) CCI-002939 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the inspected organization's monitoring procedures addressing physical access monitoring. Organizational personnel with physical access monitoring responsibilities are to be interviewed. The objective of the reviews and interviews is to validate the organization is actively monitoring its physical access intrusion alarms and surveillance equipment to detect and respond to all physical access security incidents.
Section 2.5
FOR OFFICIAL USE ONLY 61
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-6 PE-6 (b) CCI-000939 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the inspected organization's physical access logs or records; physical access incident reports; and any other relevant documents or records. The purpose of the reviews is to determine if the organization is conducting reviews of the physical access logs every 30 days. DoD has defined the frequency as every 30 days.
Section 2.5
PE-6 PE-6 (b) CCI-002941 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented events or potential indications of events to ensure the organization being inspected/assessed defines events or potential indications of events requiring review of physical access logs. DoD has determined the events or potential indications of events are not appropriate to define at the Enterprise level.
Section 2.5
PE-6 PE-6 (b) CCI-002940 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of reviews to ensure the organization being inspected/assessed reviews physical access logs upon occurrence of events or potential indications of events defined in PE-6, CCI 2941.
Section 2.5
FOR OFFICIAL USE ONLY 62
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-6 PE-6 (b) CCI-000940 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as every 30 days.
Automatically compliant with this CCI because they are covered at the DoD level
PE-6 PE-6 (c) CCI-000941 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines documentation of physical security incidents to ensure coordination with the inspected organization's incident response capability occurred.
Section 2.5Incident Response Plan
PE-8 (1) PE-8 (1) CCI-000950 High High The organization conducting the inspection/assessment:1. obtains documentation identifying the automated mechanism in use by the inspected organization to facilitate the maintenance and review of access records2. Observes the use of the automated mechanism by the inspected organization
The system is not considered a HIGH level. Therefore, this AP is not applicable.
PE-8 PE-8 (a) CCI-000947 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines visitor access records to determine if the organization is maintaining visitor access records to the facility where the information system resides for at least one year. DoD has defined the time period as at least one year.
Section 3.1Enclosure 2
FOR OFFICIAL USE ONLY 63
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-8 PE-8 (a) CCI-002952 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the time period as at least one year.
Automatically compliant with this CCI because they are covered at the DoD level
PE-8 PE-8 (b) CCI-000948 HighModerateLow
HighModerateLow
HighModerateLow
The organization conducting the inspection/assessment obtains and examines the audit documentation of visitor access record review to ensure the inspected organization is conducting reviews every 30 days. DoD has defined the frequency as every 30 days.
Section 3.1Enclosure 2
PE-8 PE-8 (b) CCI-000949 HighModerateLow
HighModerateLow
HighModerateLow
The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the frequency as every 30 days.
Automatically compliant with this CCI because they are covered at the DoD level
PE-9 PE-9 CCI-000952 HighModerate
The organization conducting the inspection/assessment obtains and examines the list of protective measures. Physical inspection of power equipment and power cabling will be done to ensure identified protective measures are in place.
Section 4.1
FOR OFFICIAL USE ONLY 64
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-9 (1) PE-9 (1) CCI-002953 blank blank blank The organization conducting the inspection/assessment obtains and examines cabling diagrams or, if unavailable, inspects power cabling configuration to ensure the organization being inspected/assessed employs redundant power cabling paths that are physically separated by the distance defined in PE-9 (1), CCI 2954.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-9 (1) PE-9 (1) CCI-002954 blank blank blank The organization conducting the inspection/assessment obtains and examines the documented distance to ensure the organization being inspected/assessed defines the distance to physically separate redundant power cabling paths. DoD has determined the distance is not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
PE-9 (2) PE-9 (2) CCI-000954 blank blank blank The organization conducting the inspection/assessment obtains the documentation of the all mission critical IT Components required to have automatic voltage controls mechanisms devices in place (IAW PE-9 (2), CCI 955) and does a visual inspection of at least a sample of the above list to ensure automatic voltage control mechanisms are in place. DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions.
NIST has not allocated this AP. Therefore, this AP is not applicable.
FOR OFFICIAL USE ONLY 65
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Control Number
Assessment Number
CCI Confidentiality Integrity Availability Assessment Procedures
Reference
PE-9 (2) PE-9 (2) CCI-000955 blank blank The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the list of critical information system components as all IT Components Critical to Execution of Missions.
Automatically compliant with this CCI because they are covered at the DoD level
FOR OFFICIAL USE ONLY 66
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
ENCLOSURE 1 – AUTHORIZED PERSONNEL ACCESS LIST
FOR OFFICIAL USE ONLY 67
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Authorized Personnel Access ListPersonnel Name Organization
The above personnel are authorized access to {ACRONYM}. This roster is reviewed at least every 90 days.
FOR OFFICIAL USE ONLY 68
X
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
ENCLOSURE 2 – VISITOR ACCESS LOG
FOR OFFICIAL USE ONLY 69
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
FOR OFFICIAL USE ONLY 70
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
ENCLOSURE 3 – DELIVERY AND REMOVAL LOG
FOR OFFICIAL USE ONLY 71
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
Delivery and Removal LogComponent Entry/Exit Date Notes
FOR OFFICIAL USE ONLY 72
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
ENCLOSURE 4 – DAILY PHYSICAL SECURITY CHECKLIST
FOR OFFICIAL USE ONLY 73
FOR OFFICIAL USE ONLY{ACRONYM} {DATE}PHYSICAL AND ENVIRONMENTAL PROTECTION PLAN
ACTIVITY SECURITY CHECKLIST DIVISION/BRANCH/OFFICE ROOM NUMBER MONTH AND YEAREnter text. Enter text. Enter text.
Irregularities discovered will be promptly reported to the designated Security Office for corrective action.
STATEMENTI have conducted a security inspection of this work area and checked all the items listed below.
TO (if required) FROM (if required) THROUGH (if required)Enter text. Enter text. Enter text.
*ITEM 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
1 Enter text.2 Enter text.3 Enter text.4 Enter text.5 Enter text.6 Enter text.7 Enter text.8 Enter text.9 Enter text.10 Enter text.11 Enter text.12 Enter text.13 Enter text.14 Enter text.15 Enter text.
FOR OFFICIAL USE ONLY 1