CCI-000916

Implementation Guidance

The organization being inspected/assessed must: 1. Develop and document a list of roles or positions that have access to the facility where the information system resides. 2. Identify and document personnel assigned to those roles. 3. Authorize and document access to the facility to personnel in identified roles

Validation Procedures

The organization conducting the inspection/assessment obtains and examines: 1. The list of roles or positions that have access to the facility where the information system resides. 2. The list of personnel assigned to those roles Recommended: 3. Access logs to verify access to the facility was authorized based on the appropriate roles and positions

Compelling Evidence

1.) List of roles, personnel assigned to those roles and access logs