NIST 800-171 | PHYSICAL PROTECTION
Physical security is normally just confined to data-centers and/or locations where IT is stored physically. However, it can also refer to where employees hang out and work.
Why hack into something when you can just walk in and take it? The path of least resistance is often preferred when attempting to steal something. Physical security is often overlooked because in this day and age, who is going to steal information through dumpster diving? There are several articles on the web about not letting your trash become someone else treasure.
So if you are managing CUI as a small company, you should practice the same controls you may have for managing ITARs environment physically. If you are a defense company, you are already familiar with the role of FSO (Facilities Security Officer). The FSO role normally ensures team members have proper security clearances through JPAS and they are also assigned maintenance of audit logs, physical access, etc.. These administrative checks behind your physical security program are more important than having someone physically monitor your environment through a camera system.
The last section (3.10.6) of this family also calls out safeguards for alternate worksites such as telework. Telework security after COVID-19 is going to be a critical issue in managing a remote and secure workforce.
3.10.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
This requirement applies to organizational employees, individuals with permanent physical access authorization credentials, and visitors.
Authorization credentials include:
Organizations determine the strength of authorization credentials needed consistent with:
This requirement applies only to areas within facilities that have not been designated as publicly accessible.
Limiting physical access to equipment may include:
Placing equipment in locked rooms or other secured areas
Allowing access to authorized individuals only
Placing equipment in locations that can be monitored by organizational personnel
External hard disk drives
Scanners, Facsimile machines
3.10.2 Protect and monitor the physical facility and support infrastructure for those information systems.
Monitoring of physical access includes publicly accessible areas within organizational facilities.
Security safeguards applied to the support infrastructure prevent
Physical tampering eavesdropping
Modification of unencrypted transmissions.
Safeguards used to control physical access to support infrastructure include
Locked wiring closets
Disconnected or locked spare jacks
Protection of cabling by conduit or cable trays
3.10.3 Escort visitors and monitor visitor activity.
This requirement applies to employees and visitors.
Organizations determine the types of facility guards needed including, for example, professional security staff or administrative staff or system users.
Physical access control systems comply with applicable laws, Executive Orders, directives, policies, regulations, and standards.
Audit logs can be used to monitor visitor activity.
3.10.4 Maintain audit logs of physical access.
Organizations have flexibility in the types of audit logs employed.
Audit logs can be procedural, automated, or some combination thereof.
Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both.
3.10.5 Control and manage physical access devices.
Physical access devices include
3.10.6 Enforce safeguarding measures for CUI at alternate worksites (e.g., telework sites).
Alternate work sites may include
Private residences of employees
Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites.