PE.L1-3.10.4/b.1.ix Physical Access Logs
Maintain audit logs of physical access.
Source: FAR Clause 52.204-21 Partial b.1.ix, NIST SP 800-171 Rev 2 3.10.4
Discussion: Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.
Assessment Objectives:
Determine if:
- [a] audit logs of physical access are maintained;
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; security plan; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; other relevant documents or records].
Interview: [SELECT FROM: Personnel with physical access control responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices].
SPRS Score: 1
POA&M Allowed: No