NIST SP 800-171 Framework Series: Physical Protection

Article NIST Framework
Keycard Door


Part 10 of CampusGuard’s series covering each of the critical controls from NIST SP 800-171 rev.2

Section 3.10 within the NIST SP 800-171 rev 2 focuses on the physical access to an organization’s systems and the measures taken to protect equipment, buildings, and related supporting infrastructure against threats associated with the physical environment. Technology solutions like firewalls, anti-virus software, passwords, and multi-factor authentication, along with organizational policies and procedures, can be completely negated if an unauthorized individual is able to just walk into a server room and gain direct access to a server or connected device.

You do not want to leave your physical environment vulnerable to compromise. Physical security is the first line of defense and protects organizational assets from physical occurrences that could cause damage to your organization’s data or could allow your information to fall into the wrong hands. All physical aspects like entrances, exits, network infrastructure, back-ups, etc. are included and can be protected through strategies like access control, video monitoring/surveillance, locks/key cards, etc.

The Basic Security Requirements within the NIST SP 800-171 for Physical Protection include:

3.10.1 Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

This requirement applies to employees, contractors, and visitors, and to any areas within an organization that are not publicly accessible.

Designate and segment building areas as “sensitive” so you can apply the appropriate physical security controls within these locations. Limit physical access to equipment like computers, networking devices, external drives, printers, copiers, etc. by placing equipment in locked rooms or other secured areas, allowing access to authorized individuals only, and monitoring those secured locations. All authorized individuals should have credentials that include badges, identification cards, and/or smart cards. Maintain an updated list of personnel who are authorized to access the designated equipment.

It is important to include physical security as a key element within employee training. Ensure all employees are aware of their responsibilities for protecting their badges and/or keys, and that they know they must wear them at all times. Verify authorized employees are also trained to be on the lookout for unauthorized individuals that may try to enter a secure facility. Remind them not to hold open the door for someone that does not have a badge and to be aware of who is entering the building with them (this is a social engineering strategy called “tailgating”). If an employee does see an unidentified person in a secure area, they should immediately report the individual to management.

It is also important to keep sensitive information protected by locking workstations when employees are not at their desks and enforcing a clean desk policy to ensure sensitive data is not left out and is always stored in a locked drawer or cabinet when not in use.

3.10.2 Protect and monitor the physical facility and support infrastructure for organizational systems.

Monitoring of physical access includes publicly accessible areas and secured areas within the organization. Ongoing monitoring can be accomplished through the employment of security guards, the use of sensor devices, and/or the use of video surveillance equipment and cameras, specifically at the entrances and exits of secure facilities. The cameras may be monitored 24/7 or they may just record so the security team can review the video if necessary.

Examples of support infrastructure include system distribution, transmission, telecommunications, power lines, and systems like heating and air conditioning. Security controls applied to the support infrastructure prevent accidental damage, disruption, and physical tampering. Physical access controls to support infrastructure include locked wiring closets, disconnected or locked spare jacks, protection of cabling by conduit or cable trays, and wiretapping sensors to prevent eavesdropping and modification of unencrypted transmissions.

The Derived Security Requirements for Physical Protection include:

3.10.3 Escort visitors and monitor visitor activity.

Escort all visitors and monitor visitor activity to ensure they are only entering areas they have approved access to. In the case of third party contractors, direct supervision by an authorized employee should be required and visitors should be vetted and authorized before they are permitted entry. All visitors should be checked in/checked out and the date/time they were at the organization logged.

3.10.4 Maintain audit logs of physical access.

Audit logs can also be used to review and monitor visitor activity. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Review the logs regularly to identify any suspicious behavior, like a visitor that stayed much longer than expected, access outside of normal work hours, or repeated access to areas they would not typically be visiting.

3.10.5 Control and manage physical access devices.

Physical access devices include keys, locks, combinations, and card readers that provide access to a location where sensitive information is located. Verify all items or methods of access are documented in an up-to-date inventory and create an approval process for issuing or granting a new device, as well as deactivating those devices if an employee leaves the organization or their role changes.

3.10.6 Enforce safeguarding measures for CUI at alternate work sites.

Alternate work sites may include government facilities or the private residences of employees. With the shift to remote work environments during COVID-19, this derived requirement has become even more important. Organizations should define security requirements for remote working, and implement written policies and procedures outlining acceptable behavior and use of information/equipment when working outside of the office environment.

We have seen the impacts of COVID-19 across the security industry and physical security is no different. In a recent Smart Security Trends Report, 75% of respondents said the pandemic increased the importance of physical security within their organizations, with many moving towards more cloud-based and centralized security solutions to help manage both remote employees and remotely manage physical systems. With cloud-based security technology, security teams can remotely control property access by unlocking doors or triggering site lockdowns without having to physically be onsite.

Instant credentialing is also a remote management capability that has increased in the last few years. Keyless door lock and entry systems allow users to unlock doors with credentials issued to their smartphones, rather than having to be issued a key card. Similarly, administrators can instantly revoke individual or group access if an employee leaves the organization. Organizations can shift from traditional badges and key cards to a unified mobile credential, which gives them the benefit of touchless and keyless access, paired with the visual verification of a digital ID badge. Digital badges also allow organizations to customize and provide updates as needed, without having to reprint and reissue credentials to every affected user. Organizations can choose the types of information they want to display, such as title, department or group, access level, and even vaccination status, and instantly issue the badges and/or mobile credentials. This is especially helpful for remotely managing new hires, as well as outsourced third-party vendors or contractors.

With new technologies, however, it does create increased cybersecurity risks and new opportunities for hackers to identify potential gaps and exploit vulnerabilities in a credentialing system or cloud-based security system. Previously, an attacker would have to be at the location to alter the temperature of heating system. Now, they may be able to hack into the centralized system and turn the heat up from thousands of miles away. Therefore, it is critical for the IT and physical security teams to work together to confirm all IT security requirements are met, and coordinate efforts to ensure physical security technologies are implemented correctly and operate efficiently. Performing periodic reviews or assessments of locations to confirm physical security measures are in place and secure is recommended.

Some additional guidance from the Security Advisor team:

[Gilmore]: Let’s keep in mind that security is about not only restricting information to those who should see it, but also to make sure that it is available when the authorized user can access it. Mature systems maintain redundancy and take into consideration what may cause services to become unavailable if certain physical issues occur. This could be earthquakes, snow storms, hurricanes, floods, and any other natural disasters. Here in Houston we have to consider long term effects of flooding from seasonal storms. For data centers that run on generators, what is their priority for replenishing fuel needed to keep on the power? What is the proximity to other potential hazards that could happen to the data center?

For local systems consider who is using the them. Can someone access the inside of the computer? Do you need to add locks or/and cameras? Can someone insert a USB key and make system changes on boot? Can someone plug into the local network and gain access to resources?

A risk assessment will uncover these questions and allow your teams to make informed decisions to lower the risk of system compromise. Reach out to us to discuss your environment.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.