NIST SP 800-171 Physical Security Requirements Explained

You need to identify parts of your facility that are “sensitive”. Sensitive areas are where you perform work that involves CUI or other sensitive information. Once you identify these areas, put up signs to the entrance of those areas reading “Authorized Personnel Only”. Maintain a list of personnel who are authorized to access these areas without an escort. Provide personnel with ID badges with their portrait and name.

After identifying sensitive areas of your facility and determining the personnel authorized to access them you need to deploy physical security controls such as doors and locks. Only authorized personnel should be given keys, pin codes, or keycards to open the doors that allow access to sensitive areas.

Place important IT infrastructure equipment such as routers, switches, and servers in a locked room (e.g., wiring closet or server room). Ensure that wiring closets and server rooms are locked. Ensure that cabling in your server room and wiring closets are organized to prevent them from accidentally being unplugged or damaged. Place devices such as printers and scanners in areas that are not accessible to unauthorized personnel.

To ensure that only authorized persons have in fact accessed your facility you need to monitor physical access. This can be accomplished by using a sign-in sheet or by logging electronic keycard access. You need to periodically review these physical access logs (e.g., quarterly). You should also deploy security cameras to monitor entry and exit to sensitive areas of your facility.

Authorized personnel are provided with physical access devices used to access your facility. Examples of physical access devices include traditional metal keys and electronic key cards. Physical access devices should only be provided to authorized personnel. They must be collected from terminated personnel and personnel who no longer require access to sensitive areas of your facility. All physical access devices such as keys and electronic key cards must be inventoried.

Visitors to your facility need to sign in using a sign-in sheet. The sign-in sheet should record names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitors need to be provided with a visitors badge and be assigned an escort to accompany them in sensitive areas of your facility.

Today many employees work from home or a client site (e.g. a government office). You do not have control over the physical security of these locations, however, you still need to ensure that the CUI these employees handle is protected. This can be accomplished by ensuring that their laptops and other devices are encrypted, have anti-malware software, and the other secure configuration settings you apply to computers at your primary facility.