This is the tenth of a fourteen piece blog series intended to describe how Ascolta Greenfield environments achieve National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 1, Protecting Controlled Unclassified Information in Non-federal Systems, compliance. This entry covers the controls contained in the Physical Security Policy and Procedures family.
What is it?
The term physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. Physical and environmental requirements cover three broad areas:
- The physical facility is typically the building, other structure, or vehicle housing the system and network components. Systems can be characterized, based upon their operating location, as static, mobile, or portable. Static systems are installed in structures at fixed locations. Mobile systems are installed in vehicles that perform the function of a structure, but not at a fixed location. Portable systems may be operated in a wide variety of locations, including buildings, vehicles, or in the open. The physical characteristics of these structures and vehicles determine the level of physical threats such as fire, roof leaks, or unauthorized access.
- The facility’s general geographic operating location determines the characteristics of natural threats, which include earthquakes and flooding; man-made threats such as burglary, civil disorders, or interception of transmissions and emanations; and damaging nearby activities, including toxic chemical spills, explosions, fires, and electromagnetic interference from emitters (e.g., radars).
- Supporting facilities are those services (both technical and human) that maintain the operation of the system. The system’s operation usually depends on supporting facilities such as electric power, heating and air conditioning, and telecommunications. The failure or substandard performance of these facilities may interrupt operation of the system and cause physical damage to system hardware or stored data.
How does Greenfield solve it?
Greenfield provides Physical Security by relying on AWS to develop formal, documented physical and environmental protection policies and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The policy is reviewed on an annual basis.
As the user, you are responsible for protecting your equipment from theft, damage or unauthorized access. But having the infrastructure protected where all your CUI is stored, processed and accessed takes you most of the way to compliance. Adding multi-factor authentication assures that even if your laptop is stolen, unless you left it turned on and logged in, would-be thieves will still not be able to access your data.