PE-3(2)—Physical Access Control | Facility and Systems

IL6

>Control Description

Perform security checks ⚙organization-defined frequency at the physical perimeter of the facility or system for exfiltration of information or removal of system components.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Organizations determine the extent, frequency, and/or randomness of security checks to adequately mitigate risk associated with exfiltration.

>Related Controls

AC-4

SC-7

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What policies and procedures govern the implementation of facility and systems for the organization's facilities?
•Who is responsible for overseeing and maintaining facility and systems controls?
•How frequently are facility and systems controls reviewed and updated?
•What process exists for granting exceptions to facility and systems requirements?
•How does the organization ensure accountability for facility and systems across all facility locations?

Technical Implementation:

•What technologies or systems technically implement facility and systems?
•How are these systems configured to meet the control requirements?
•What monitoring or alerting capabilities exist for facility and systems?
•How do facility and systems systems integrate with other physical security infrastructure?
•What redundancy or backup mechanisms support facility and systems?

Evidence & Documentation:

•Provide documented policies and procedures for facility and systems.
•Provide evidence of facility and systems implementation and configuration.
•Provide logs, records, or reports demonstrating facility and systems activities over the past 90 days.
•Provide testing, maintenance, or inspection records for facility and systems from the past year.
•Provide evidence of facility and systems reviews, audits, or assessments.

Ask AI

Configure your API key to use AI features.