Establishes requirements for limiting physical access, protecting and monitoring the physical facility and infrastructure — covering 6 controls per NIST SP 800-171 Rev 2.
OCSI shall limit physical access to organizational systems, equipment, and the respective operating environments. Physical access to facilities shall be controlled, monitored, and protected against unauthorized access.
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| 3.10.1 | Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals | Office facility secured with keyed entry. Authorized personnel list maintained. Visitor access requires escort by authorized person. Server hosting managed by GoDaddy with data center physical security (SOC 2 Type II certified). | Implemented |
| 3.10.2 | Protect and monitor the physical facility and support infrastructure for organizational systems | Office facility protected with commercial alarm system. Workstations used for CUI access located in private office areas. GoDaddy data centers provide 24/7 physical monitoring, environmental controls, and redundant power. | Implemented |
| 3.10.3 | Escort visitors and monitor visitor activity | All visitors signed in at reception. Visitors escorted at all times in areas where CUI may be visible. Visitor log maintained with name, purpose, date/time in and out. Visitor badges issued and collected upon departure. | Implemented |
| 3.10.4 | Maintain audit logs of physical access | Physical access log maintained at facility entry. Electronic alarm system records entry/exit events with timestamps. Visitor log archived for minimum 3 years. Logs reviewed monthly by Security Officer. | Implemented |
| 3.10.5 | Control and manage physical access devices | Facility keys issued only to authorized personnel. Key inventory maintained by office administrator. Lost or stolen keys result in immediate lock replacement. Key distribution tracked in access log. | Implemented |
| 3.10.6 | Enforce safeguarding measures for CUI at alternate work sites | Remote work policy requires: (1) private workspace with screen not visible to unauthorized persons, (2) VPN or encrypted connection, (3) device auto-lock after 5 minutes of inactivity, (4) no CUI access on shared or public devices. Remote work security acknowledgment required annually. | Implemented |
| Component | Provider | Physical Security |
|---|---|---|
| Web Hosting | GoDaddy (Shared Hosting) | SOC 2 Type II certified data centers, 24/7 monitoring, biometric access, environmental controls |
| DNS | GoDaddy DNS | Managed infrastructure |
| CDN Resources | Google Fonts, FontAwesome (cdnjs) | Google/Cloudflare infrastructure |