Limit physical access to systems and facilities to authorized individuals
Servers, workstations, networking equipment, and storage media holding Federal Contract Information must be physically accessible only to authorized personnel. An attacker with physical access to a system can bypass most software-based security controls: they can boot from external media, remove storage drives, or install hardware keyloggers. Physical access control is the layer that protects against insider threats and physical intrusion.
Implementation steps
- 1
Identify locations where FCI systems reside
Map the physical locations of all systems, equipment, and storage that process or store FCI. This includes server rooms, data center cages, network closets, workstation areas, and anywhere backup media is stored. These locations are in scope for physical access controls.
excel confluence - 2
Implement physical access controls at each location
Secure each in-scope location with appropriate physical controls: locked doors with access card or keypad entry for server rooms and network closets, locked workstation areas or cable locks for individual systems, and locked cabinets for media storage. Server racks should be locked even within a locked room.
hid lenel genetec - 3
Maintain and manage an authorized access list
Document which individuals are authorized to physically access each secured location and why. Tie physical access to job function. Provision access through a formal request process and ensure physical access is revoked on the same day an employee terminates or changes to a role that no longer requires it.
servicenow active-directory - 4
Periodically review physical access rights
Conduct periodic reviews (at least annually) of who has physical access to each location. Verify that current cardholders still have a business need. Remove access for individuals whose roles have changed or who no longer require access.
lenel genetec
Evidence required
Physical access control policy
Written policy defining how physical access to FCI locations is granted and managed.
- - Physical security policy
- - Facility access control procedure
Authorized access list for secured locations
List of individuals authorized to physically access each in-scope location.
- - Access control system cardholder export
- - Authorized personnel list by location
Physical access control implementation evidence
Evidence that physical controls are in place at each secured location.
- - Photographs of server room door with card reader
- - Rack lock inventory
- - Building access system configuration
Related controls
Control and manage physical access devices
Physical Access
Escort visitors and monitor visitor activity in secured areas
Physical Access
Maintain audit logs of physical access to secured areas
Physical Access
Limit system access to authorized users, processes, and devices
Authorized Access