PE.L1-3.10.5/b.1.ix Manage Physical Access
Control and manage physical access devices.
Source: FAR Clause 52.204-21 Partial b.1.ix, NIST SP 800-171 Rev 2 3.10.5
Discussion: Physical access devices include keys, locks, combinations, and card readers.
Assessment Objectives:
Determine if:
- [a] physical access devices are identified;
- [b] physical access devices are controlled; and
- [c] physical access devices are managed.
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; security plan; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; other relevant documents or records].
Interview: [SELECT FROM: Personnel with physical access control responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices].
SPRS Score: 1
POA&M Allowed: No