Navigate

CCI-000921

CCI-000921 Definition

The organization controls ingress/egress to the facility where the information system resides using one or more organization-defined physical access control systems/devices or guards.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed will control ingress/egress to the facility using the physical access control devices and/or guards defined in PE-3, CCI 2916.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the list of physical access control devices and/or guards in use defined in PE-3, CCI 2916 and conducts random inspections of entry points. The purpose is to determine whether the organization is using those physical access devices and/or guards to control entry of personnel into the facility hosting the information system.

Compelling Evidence

1.) Description of physical access control devices and/or guards used to control entry/exit 2.) Facility access log 3.) Entry/exit pen test results

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000921.

Control	Description
PE-3	The organization: PE-3a.: Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; PE-3a.1.: Verifying individual access authorizations before granting access to the facility; and PE-3a.2.: Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; PE-3b.: Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; PE-3c.: Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; PE-3d.: Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; PE-3e.: Secures keys, combinations, and other physical access devices; PE-3f.: Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and PE-3g.: Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

Control

Description

PE-3

The organization:

PE-3a.: Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
- PE-3a.1.: Verifying individual access authorizations before granting access to the facility; and
- PE-3a.2.: Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];

PE-3b.: Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];

PE-3c.: Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;

PE-3d.: Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];

PE-3e.: Secures keys, combinations, and other physical access devices;

PE-3f.: Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and

PE-3g.: Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.