>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PE-5Access Control for Output Devices

Moderate
High

>Control Description

Control physical access to output from organization-defined output devices to prevent unauthorized individuals from obtaining the output.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.

>Cross-Framework Mappings

SCF

PES-12.2
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the use of physical access devices such as badges, keys, and smart cards?
  • How does the organization manage the inventory and accountability of physical access devices?
  • What is the process for reporting lost, stolen, or compromised physical access devices?
  • How are physical access devices deactivated when personnel leave or transfer?
  • What governance exists for periodically reviewing physical access device assignments?

Technical Implementation:

  • What types of physical access devices are used (badges, smart cards, keys, tokens)?
  • How are access devices encoded or configured with authorization data?
  • What technical controls prevent cloning or duplication of access devices?
  • How are access devices deactivated in technical systems when no longer needed?
  • What anti-counterfeiting features are incorporated into physical access devices?

Evidence & Documentation:

  • Provide inventory of all physical access devices (badges, keys, smart cards) issued.
  • Provide documentation of device issuance, assignment, and tracking procedures.
  • Provide records of lost/stolen device reports and responses from the past year.
  • Provide evidence of device deactivation when personnel separate or transfer.
  • Provide audit results from the most recent physical access device reconciliation.

Ask AI

Configure your API key to use AI features.