Navigate

PE-6

PE-6: Monitoring Physical Access

The organization:

PE-6a.: Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

PE-6b.: Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and

PE-6c.: Coordinates results of reviews and investigations with the organizational incident response capability.

Supplemental

Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to PE-6.

Control	Description
CA-7	The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: CA-7a.: Establishment of [Assignment: organization-defined metrics] to be monitored; CA-7b.: Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; CA-7c.: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; CA-7d.: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; CA-7e.: Correlation and analysis of security-related information generated by assessments and monitoring; CA-7f.: Response actions to address results of the analysis of security-related information; and CA-7g.: Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
IR-4	The organization: IR-4a.: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; IR-4b.: Coordinates incident handling activities with contingency planning activities; and IR-4c.: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
IR-8	The organization: IR-8a.: Develops an incident response plan that: IR-8a.1.: Provides the organization with a roadmap for implementing its incident response capability; IR-8a.2.: Describes the structure and organization of the incident response capability; IR-8a.3.: Provides a high-level approach for how the incident response capability fits into the overall organization; IR-8a.4.: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; IR-8a.5.: Defines reportable incidents; IR-8a.6.: Provides metrics for measuring the incident response capability within the organization; IR-8a.7.: Defines the resources and management support needed to effectively maintain and mature an incident response capability; and IR-8a.8.: Is reviewed and approved by [Assignment: organization-defined personnel or roles]; IR-8b.: Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; IR-8c.: Reviews the incident response plan [Assignment: organization-defined frequency]; IR-8d.: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; IR-8e.: Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and IR-8f.: Protects the incident response plan from unauthorized disclosure and modification.

Enhancements

The controls below (if any) add on to the requirements of PE-6.

Control	Description
PE-6 (1)	The organization monitors physical intrusion alarms and surveillance equipment.
PE-6 (2)	The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions].
PE-6 (3)	The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period].
PE-6 (4)	The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].

Related CCIs

The CCIs below are tied to PE-6.

CCI	Definition
CCI-000939	The organization reviews physical access logs in accordance with organization-defined frequency.
CCI-000940	The organization defines a frequency for reviewing physical access logs.
CCI-000941	The organization coordinates results of reviews and investigations with the organization^s incident response capability.
CCI-002939	The organization monitors physical access to the facility where the information system resides to detect and respond to physical security incidents.
CCI-002940	The organization reviews physical access logs upon occurrence of organization-defined events or potential indications of events.
CCI-002941	The organization defines events or potential indications of events requiring review of physical access logs.