NIST SP 800-171 Physical Security Requirements

NIST SP 800-171 Physical Security Requirements Explained

Omer Aslim selfie
By: Omer Kaan Aslim
February 04, 2022
Learn how to meet your NIST SP 800-171 and CMMC 2.0 physical security requirements. In this blog we reference the following NIST SP 800-171 controls 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, and 3.10.6.

Limiting, Monitoring, and Protecting Access to Your Facility

Authorized Personnel
You need to identify parts of your facility that are “sensitive”. Sensitive areas are where you perform work that involves CUI or other sensitive information. Once you identify these areas, put up signs to the entrance of those areas reading “Authorized Personnel Only”. Maintain a list of personnel who are authorized to access these areas without an escort. Provide personnel with ID badges with their portrait and name.
Physical Access Control
After identifying sensitive areas of your facility and determining the personnel authorized to access them you need to deploy physical security controls such as doors and locks. Only authorized personnel should be given keys, pin codes, or keycards to open the doors that allow access to sensitive areas.
Wiring Closet
Place important IT infrastructure equipment such as routers, switches, and servers in a locked room (e.g., wiring closet or server room). Ensure that wiring closets and server rooms are locked. Ensure that cabling in your server room and wiring closets are organized to prevent them from accidentally being unplugged or damaged. Place devices such as printers and scanners in areas that are not accessible to unauthorized personnel.
To ensure that only authorized persons have in fact accessed your facility you need to monitor physical access. This can be accomplished by using a sign-in sheet or by logging electronic keycard access. You need to periodically review these physical access logs (e.g., quarterly). You should also deploy security cameras to monitor entry and exit to sensitive areas of your facility.

Managing Keys (Physical Access Devices)

Keycard access
Authorized personnel are provided with physical access devices used to access your facility. Examples of physical access devices include traditional metal keys and electronic key cards. Physical access devices should only be provided to authorized personnel. They must be collected from terminated personnel and personnel who no longer require access to sensitive areas of your facility. All physical access devices such as keys and electronic key cards must be inventoried.

Handling Visitors to Your Facility

Office Visit
Visitors to your facility need to sign in using a sign-in sheet. The sign-in sheet should record names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitors need to be provided with a visitors badge and be assigned an escort to accompany them in sensitive areas of your facility.

Physical Security for Teleworkers

Workfrom Home
Today many employees work from home or a client site (e.g. a government office). You do not have control over the physical security of these locations, however, you still need to ensure that the CUI these employees handle is protected. This can be accomplished by ensuring that their laptops and other devices are encrypted, have anti-malware software, and the other secure configuration settings you apply to computers at your primary facility.
 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance