CCI-000917

Require two forms of identification from an organization-defined list of acceptable forms of identification for visitor access to the facility where the system resides.

Implementation Guidance

The organization being inspected/assessed will only grant access to the facility with two organization approved government issued forms of identification defined in PE-2 (2), CCI 2912. This requirement must be documented within the organization's physical security policy. The organization must maintain access control documentation as an auditable event per AU-2, CCI 000123.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the inspected organization's physical security policy for requirements and implementation guidance to have two forms of identification defined in PE-2 (2), CCI 2912 and physical access control logs or records; and any other relevant documents or records to validate compliance.

Compelling Evidence

1.) Physical security policy for requirements and implementation guidance to have two forms of identification defined

The controls below (if any) were marked by NIST as being related to CCI-000917.