Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.

Priority: High   

Category: Physical Security 

Services Associated with AWS:   

  • AWS CloudTrail (for monitoring access events) 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate visitor management practices 

Possible Technology Considerations : 

  • Physical Access Control (PAC) 

What needs to be answered :  

Are logs of physical access to sensitive areas maintained per retention policies? Are visitor access records retained for as long as required by approved policy?

  • Audit Logging of Physical Access
    Description: This check ensures that organizations maintain audit logs of physical access to their facilities. The audit logs capture information about individuals accessing the facility, including entry and exit times, identification provided (such as PIV card), and any additional access controls used.

    Organizations have flexibility in the types of audit logs employed for physical access monitoring. This can include procedural logs, where individuals manually record their access in a written log, automated logs that capture access events electronically (such as scanning identification cards), or a combination of both.

    The audit logs for physical access serve as a record of who entered or exited the facility, providing valuable information for security monitoring, incident investigation, and compliance purposes. By maintaining these audit logs, organizations can track and review physical access activities, detect any unauthorized or suspicious entries, and ensure accountability for access to their facilities.

More Details:   

No CUI stored in company facilities. All CUI storage done via AWS services.