OVERVIEW (PE-1)

This document addresses the procedures and standards set forth to implement the family of Physical and Environmental Protection controls.

All information system equipment is hosted in FedRAMP accredited in data center (Microsoft Azure Government Cloud). Organization does not store or host any customer data in office locations. All employee must complete security training to minimize the risk of access to customer data (e.g. lock laptops when not in use).

PHYSICAL ACCESS AUTHORIZATIONS (PE-2)

As per FedRAMP, hosting partner must develop, approve, and maintain a list of individuals with authorized access to the hosting facility where the information system resides; issue authorization credentials for facility access; reviews the access list detailing authorized facility access by individuals; and removes individuals from the facility access list when access is no longer required. See Workplace Security Policy for additional details.

PHYSICAL ACCESS CONTROL (PE-3)

As per FedRAMP, hosting partner must:

  1. Enforce physical access authorizations at to all entry/exit points to the facility where the information system resides by; verifying individual access authorizations before granting access to the facility; and controlling ingress/egress to the facility.
  2. Maintain physical access audit logs
  3. Provide security safeguards to control access to areas within the facility officially designated as publicly accessible;
  4. Escort visitors and monitor visitor activity
  5. Secure keys, combinations, and other physical access devices;
  6. Inventory physical access devices bi-annually
  7. Change combinations and keys annually and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

MONITORING PHYSICAL ACCESS (PE-6)

As per FedRAMP, hosting partner must:

  1. Monitor physical access to the facility where the information system resides to detect and respond to physical security incidents;
  2. Review physical access logs monthly or upon occurrence of potential incident
  3. Coordinate results of reviews and investigations with the organizational incident response capability

VISITOR ACCESS RECORDS (PE-8)

As per FedRAMP, hosting partner must:

  1. Maintain visitor access records to the facility where the information system resides for a minimum of 1 year
  2. Review visitor access records bi-annually

EMERGENCY LIGHTING (PE-12)

As per FedRAMP, hosting partner must employ and maintain automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

FIRE PROTECTION (PE-13)

As per FedRAMP, the hosting partner employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.

FIRE PROTECTION (PE-14)

As per FedRAMP, the hosting partner maintains temperature and humidity levels within the facility where the information system resides and monitors temperature and humidity levels on an ongoing basis.

WATER DAMAGE PROTECTION (PE-15)

As per FedRAMP, the hosting partner protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.

DELIVERY AND REMOVAL (PE-16)

As per FedRAMP, the hosting partner authorizes, monitors, and controls information system components entering and exiting the facility and maintains records of those items.

AUDIT

  • Annual Hosting Partner Review (PE001) to ensure FedRAMP accreditation (e.g. controls are in place)
  • Annual Management Review (MR002) includes review of PE001.
  • Annual Management Review (MR002) includes review of this policy.