PR.AC-2: Physical access to assets is managed and protected

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] physical and environmental protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…

Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; Issue authorization credentials for facility access; Review the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and Remove individuals from the facility access list when access is no longer required.

Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by: Verifying individual access authorizations before granting access to the facility; and Controlling ingress and egress to the facility using [Assignment (one or more): [Assignment: organization-defined physical access control systems or devices] , guards]; Maintain physical access…

Control physical access to [Assignment: organization-defined system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security controls].

Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output.

Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and Coordinate results of reviews and investigations with the organizational incident response capability.

Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period]; Review visitor access records [Assignment: organization-defined frequency]; and Report anomalies in visitor access records to [Assignment: organization-defined personnel].

Protect power equipment and power cabling for the system from damage and destruction.

This requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors. Authorized individuals have credentials that include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, directives, policies, regulations, standards, procedures, and guidelines. This requirement applies only to areas within facilities that have…

Monitoring of physical access includes publicly accessible areas within organizational facilities. This can be accomplished, for example, by the employment of guards; the use of sensor devices; or the use of video surveillance equipment such as cameras. Examples of support infrastructure include system distribution, transmission, and power lines. Security controls applied to the support infrastructure…

Individuals with permanent physical access authorization credentials are not considered visitors. Audit logs can be used to monitor visitor activity.

Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental…

Physical access devices include keys, locks, combinations, and card readers.