Navigate

PE-6

PE-6: Monitoring Physical Access

The organization:

a: Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

b: Reviews physical access logs [one of ] and upon occurrence of [one of ]; and

c: Coordinates results of reviews and investigations with the organizational incident response capability.

Supplemental

Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
Privacy (PHI)

CSF Categories
DE.CM-2, DE.CM-7, PR.AC-2, RS.AN-1, RS.CO-3

Related Controls

The controls below (if any) were marked by NIST as being related to PE-6.

Control	Description
CA-7	The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a: Establishment of [one of ] to be monitored; b: Establishment of [one of ] for monitoring and [one of ] for assessments supporting such monitoring; c: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e: Correlation and analysis of security-related information generated by assessments and monitoring; f: Response actions to address results of the analysis of security-related information; and g: Reporting the security status of organization and the information system to [one of ] [one of ].
IR-4	The organization: a: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b: Coordinates incident handling activities with contingency planning activities; and c: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
IR-8	The organization: a: Develops an incident response plan that: 1: Provides the organization with a roadmap for implementing its incident response capability; 2: Describes the structure and organization of the incident response capability; 3: Provides a high-level approach for how the incident response capability fits into the overall organization; 4: Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5: Defines reportable incidents; 6: Provides metrics for measuring the incident response capability within the organization; 7: Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8: Is reviewed and approved by [one of ]; b: Distributes copies of the incident response plan to [one of ]; c: Reviews the incident response plan [one of ]; d: Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e: Communicates incident response plan changes to [one of ]; and f: Protects the incident response plan from unauthorized disclosure and modification.

Enhancements

The controls below (if any) add on to the requirements of PE-6.

Control	Description
PE-6(1)	The organization monitors physical intrusion alarms and surveillance equipment.
PE-6(2)	The organization employs automated mechanisms to recognize [one of ] and initiate [one of ].
PE-6(3)	The organization employs video surveillance of [one of ] and retains video recordings for [one of ].
PE-6(4)	The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [one of ].

Related CCIs

The CCIs below are tied to PE-6.

CCI	Definition
CCI-000939	Review physical access logs in accordance with organization-defined frequency.
CCI-000940	Defines a frequency for reviewing physical access logs.
CCI-000941	Coordinate results of reviews and investigations with the organization's incident response capability.
CCI-002939	Monitor physical access to the facility where the system resides to detect and respond to physical security incidents.
CCI-002940	Review physical access logs upon occurrence of organization-defined events or potential indications of events.
CCI-002941	Defines events or potential indications of events requiring review of physical access logs.