Physical Protection Standards
This updated standard is to help align existing practices within Office of Information Technology (OIT) around Physical Protection controls to the requirements in NIST 800-171 (PE | 3.10.x) as well as industry best practices. This document does not give full coverage of 3.10.x controls within 171 due to existing limitations and other requirements that are specific to CUI.
What is in this document:
- Visitor monitoring requirements
- Required content of physical logs
- Standards for physical access devices
- Remote work requirements
What is NOT in this document:
- Log locations for physical logs
- VandalCard or key security standards
Potential impact or action items for implementing this standard:
- Training will be required for remote workers who handle regulated data such as FCI/CUI as to appropriate use of their work-from-home space
- Data Center access managers may need to review visitor access log retention to comply with standard
This Physical Protection standard supports APM 30.11 University Data Classification and Standards and other relevant university policies.
These Standards are the minimum baseline for all managed and unmanaged systems that access, store or process University of Idaho data (see APM 30.14 C-6) at the High-risk levels (see APM 30.11) or data with relevant regulations such as FCI/CUI not otherwise covered by an approved system security plan.
This specifically includes university-operated data centers but may include other spaces where relevant data may be unencrypted.
Escort and monitor visitor activity in restricted areas.
- Visitors are escorted in restricted areas. (3.10.3[a])
- Visitor logs must be included in the physical access log described below. (3.10.3[b])
- These logs must also include the individual escorting the visitor.
Maintain audit logs of physical access to areas in scope.
- Access to restricted areas must be recorded either electronically or via a sign-in sheet.
- Sign-in sheets must be appropriately secured from tampering as determined by OIT Security.
- Audit logs of physical access are maintained for at least three (3) years.
- Physical access logs should contain:
- The local time that access was provided.
- Each individual that access was provided to.
- The restricted area being accessed.
- The local time each individual exits.
Control and manage physical access devices (key cards/readers, pin pads on locks, traditional keys, etc).
- Physical access devices are recorded with current access device holders / owner as per APM 40.28. (3.10.1[a], 3.10.5[a])
- Physical locks are assumed to be maintained by University of Idaho Facilities Management unless otherwise approved.
- Physical access devices are rotated/deauthorized/revoked when: (3.10.5[b-c])
- Any access device is missing, lost, stolen or otherwise unaccounted for.
- Current access device holders are no longer in the role requiring access.
- Any unauthorized copy of access device is created.
- Permanent Physical access devices are assigned to individuals only while required to perform their role. (3.10.1[b-d])
To ensure that work can be done securely from remote locations the following standards must be met (3.10.6[a-b]):
- While working at alternate work sites, individuals must:
- Connect through an approved remote access method such as vpn.uidaho.edu.
- Be in a private location or otherwise obscure their screen from others.
- Be using OIT-managed technology.
- Be in a private space or must take appropriate precautions against eavesdropping while taking phone/video calls discussing high-risk or regulated data.
- Alternate work sites that are used when accessing regulated data must adhere to any additional requirements of the regulation.
OIT Security will publish and maintain an internal document identifying areas that are approved for handling high-risk data.
- Handling of high-risk or other regulated data should not occur outside of these locations.
- These locations must meet the following requirements:
- Must control access points into the secure area using a VandalCard and pin or other method approved by OIT Security.
- Must have appropriate signage per regulation or contract such as PCI or CUI.
- Must be physically separated from unsecured areas.
- Must have cameras monitoring access points.
- NIST SP800-171r2 (February 2020)
All referenced controls are NIST 800-171r2 unless otherwise noted.
- NIST SP800-53r5 (September 2020)
- NIST SP800-114r1 (July 2016)
- NIST SP800-46r2 (July 2016)
- CMMC Glossary (December 2021)
Individuals without permanent physical access authorization credentials (I.E. VandalCard, key, door pin, etc)
2. Physical access device
A device used for gaining physical access to an area such as key cards/readers, pin pads on locks, traditional keys, etc.
3. Physical access device holder/owner
The individual person currently in possession of, or responsible for a physical access device.
4. Alternate work site
Areas where work is approved to occur other than their university-controlled office space. This includes but is not limited to, public spaces on campus, home offices covered by flexplace agreement under FSH 3250 or supervisor-approved area.
5. Federal Contract Information (FCI)
“Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” (CMMC Glossary)
- While encrypted, data is not considered FCI
6. Controlled Unclassified Information (CUI)
“Information that law, regulation or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.” (NIST SP 800-171)
- While encrypted, data is not considered CUI
7. Restricted area
A location used for storing, transmitting, processing, discussing or otherwise handling high-risk data or data with relevant regulations such as FCI/CUI.
OIT is responsible for the content and management of these standards.
|V1||N. Flynn, M. Parks||6/23/2023|