Physical and Environmental Protection Plan

Approach basics → §4.x

Hosting model and identifiers that anchor the rest of the plan.

Hosting model (one-liner) * Where the system runs (e.g., 'FedRAMP-Moderate-authorized AWS GovCloud (US)', 'Agency-operated data center at Site A', 'Hybrid: prod on AWS GovCloud + DR at agency Tier-III facility').

Primary facility identifier * Name and location of the primary facility (e.g., 'AWS GovCloud US-Gov-West-1 region', 'Building 4 Data Center, Crystal City VA').

Alternate / DR facility identifier Name and location of the alternate / disaster-recovery facility. Reference CP plan for the activation criteria.

Physical-access governance role * Role responsible for physical-access decisions (e.g., 'Facility Security Officer (FSO)', 'ISSM / Physical Security delegate'). Reference PS-1 for the screening half of the workflow.

Physical-access request workflow Brief phrase summarizing the workflow (e.g., 'ServiceNow request → ISSM approval → badge office', 'AWS IAM does not apply — physical access is provider-inherited; agency-staff badge handled via OPM workflow').

Visitor-logging location Where visitors are logged (e.g., 'Lobby visitor-management kiosk + paper logbook', 'Guard post + Signed-in workflow in BadgePass').

Environmental controls inheritance provider Provider supplying environmental controls (e.g., 'AWS — see FedRAMP package', 'Crystal City data-center operator — see SLA + SOC 2', 'Agency facility ops — internal').

Provider-evidence location Where provider-supplied evidence (FedRAMP CRM, SOC 2, SLA reports) is stored on file.

Facility Inventory → §2.x

List of facilities in scope and their roles.

Facilities in scope

Add item

Suggested: + Primary data-center facility + DR / alternate facility + Agency office buildings hosting workstations + Telework / alternate work sites (PE-17) + Field offices + Mobile platforms (vehicles, ships, aircraft) + Cloud-provider regions (logical, not staffed by org)

Facility classification — Select — Federal-owned Leased federal-controlled Contractor-operated facility (cleared) Cloud-provider facility (FedRAMP Moderate) Cloud-provider facility (FedRAMP High) Cloud-provider facility (DoD CC SRG IL4 / IL5) Mixed (multiple types — document each)

Facility availability classification — Select — Uptime Institute Tier I (~99.671%) Uptime Institute Tier II (~99.741%) Uptime Institute Tier III (~99.982%) Uptime Institute Tier IV (~99.995%) Cloud-provider region (high-availability across multiple AZs) Not formally rated

Physical Access Authorization (PE-2) → §4.x

Who is authorized to enter, on what basis, and how the list is maintained.

Access-list owner role Role accountable for maintaining the authorized-access list (e.g., 'Facility Security Officer with ISSO concurrence').

Authorization criteria What entitles a person to physical access (e.g., 'Active background investigation completion (PS-3) + need-to-access justification + supervisor approval').

Access-list review cadence (PE-2 ODV) How often the access list is reviewed (typical values: 'Quarterly', 'Annually'). PE-2 ODV.

Access-revocation triggers

Termination / separation Role / project change removing need Suspended clearance Failed annual re-investigation Change of facility Misuse / incident

Emergency / temporary access process How urgent / temporary access is granted (e.g., post-incident investigators, vendor maintenance crews) without bypassing core controls.

Physical Access Control (PE-3) → §4.x

How entry and egress are physically controlled.

Entry mechanisms

Smart-card badge readers (PIV / CAC) Biometric (fingerprint / iris / face) Keypad PIN (less preferred) Mantrap / interlock vestibule Physical key (legacy areas only) Reception / guard verification Mobile credential (Bluetooth / NFC)

Egress controls How exit is controlled (free egress for safety + monitoring, anti-passback, exit interviews for sensitive areas).

Escort policy Who must be escorted (visitors, vendors without clearance, contractor staff). Escort-to-visitor ratio. Reference MA-5 for maintenance personnel.

Intrusion-detection system IDS at entry / boundary (door-sensor, motion, glass-break). Alarm routing to security operations + on-call.

Lock + key inventory tracking How physical keys, electronic-credentials, and lock combinations are inventoried and rotated. Lost-key procedures.

Transmission and Output (PE-4, PE-5) → §4.x

Protection of cabling, ports, and output devices.

Cabling protection (PE-4) How transmission lines are protected from interception / damage (conduit, raceway, locked patch panels, fiber for sensitive runs).

Port-blocking posture How unused network ports / USB ports are physically disabled (port-blockers, NAC enforcement). Coordinated with IA-3.

Output-device protection (PE-5) How printers, monitors, and copiers are positioned / shielded so output is not visible to unauthorized observers (privacy filters, secure-print release, no-monitor-facing-window policy).

Monitoring and Visitor Management (PE-6, PE-8) → §4.x

How activity at the boundary is monitored and visitors are tracked.

Monitoring capability

Manned guard posts CCTV with active monitoring CCTV with recording + retroactive review Door-position sensors Badge-reader-event monitoring Anomaly-based access-pattern detection Tailgating-detection sensors

Recording retention period How long surveillance recordings are retained (e.g., '90 days for routine; longer for incident-tagged'). PE-6(1) ODV.

Visitor-log required fields

Visitor name Visitor organization Government-issued ID type + number Time in / time out Person visited (sponsor) Purpose of visit Areas accessed Escort name Escort signature

Visitor-log retention (PE-8 ODV) How long visitor logs are retained. PE-8 ODV. Common: 'One year', 'Per NARA records-retention schedule'.

Visitor-log review cadence How often visitor logs are reviewed for anomalies (escort gaps, off-hours visits).

Emergency Power, Lighting, and Shutoff (PE-9 through PE-12) → §4.x

Power resilience and life-safety.

Power topology (PE-9 / PE-9(1)) Redundancy of power: dual feeds, UPS, generator, transfer-switch behavior. Dual A+B power at rack level (PE-9(1)).

Emergency-shutoff capability (PE-10) EPO (Emergency Power Off) location, activation criteria, blast-radius (rack vs row vs room). Whether EPO is hardware-disable / requires fire-marshal coordination.

Emergency power posture (PE-11) UPS runtime, generator capacity, fuel-supply duration, automated transfer-test cadence. PE-11(1) for graceful-shutdown automation.

Emergency-lighting coverage (PE-12) Battery-backed lighting in egress paths, IT areas. Inspection cadence. PE-12 ODV.

Environmental Protection (PE-13, PE-14, PE-15) → §4.x

Fire suppression, climate control, water-leak detection.

Fire-suppression system (PE-13) — Select — Pre-action sprinkler (water-based, double-action) Wet-pipe sprinkler Dry-pipe sprinkler Clean-agent (FM-200 / Novec 1230) Inert-gas (IG-55 / IG-541) Mixed (clean-agent in IT areas; sprinkler perimeter)

Fire-detection system (PE-13(1)) VESDA / aspirating smoke detection, photoelectric, ionization. Notification routing (24/7 monitored alarm, fire-marshal direct line).

Suppression-inspection cadence How often fire suppression is inspected per NFPA 25 (typically annual + quarterly visual).

Operating temperature / humidity range (PE-14) Allowable range (e.g., '64-81°F (18-27°C); 20-80% RH per ASHRAE TC9.9 Class A1'). Reference TIA-942.

Environmental monitoring + alerting Sensor coverage, BMS / DCIM integration, alert thresholds, escalation paths.

Water-leak detection (PE-15) Leak-detection cable / sensor coverage, automatic shutoff, drainage paths. PE-15(1) for automated shutoff.

Delivery and Removal (PE-16) → §4.x

How assets are checked in and removed.

Asset categories in scope (PE-16 ODV)

Servers + network equipment Storage media (drives, tapes) Cryptographic modules / HSMs Workstations + laptops Mobile devices (tablets, phones) Removable media (USB, optical) Spare parts Decommissioned equipment

Intake procedure How new assets enter the facility (receiving-dock workflow, integrity inspection, asset-tag application, CMDB entry).

Removal-authorization process Who can authorize removal of assets, what paperwork is required, chain-of-custody. Reference MP-5 if media, SR-12 if supply-chain element.

Property-pass logging location Where intake / removal events are logged (CMDB, dedicated property-management tool, paper logbook + scanned).

Alternate Work Site (PE-17) → §4.x

Telework and alternate-location protections.

Telework / alternate work-site in scope? — Select — Yes — telework is broadly authorized for system users Yes — limited to specific roles (e.g., admin staff only) Yes — emergency-continuity only (per CP plan) No — facility-only operation

Required telework safeguards

GFE laptop with FDE (FIPS 140-3 validated) VPN / ZTNA required for access MFA enforced PIV / CAC required Privacy screen on display Lockable storage for hardcopy Mandatory acceptable-use agreement signed No-VOIP / no-IoT in workspace policy Network-isolation at home (separate SSID)

Telework-training reference Pointer to telework-security training (often part of AT-2 awareness). Reference NIST SP 800-46 r2 for guidance.

Periodic safeguard assessment How telework-site safeguards are periodically assessed (self-attestation, sample audits, video walkthrough for sensitive roles).

Physical Scope and Coverage → §2.x

Quantitative scope numbers that anchor metrics later in the plan.

Authorized-access list size Approximate count of persons on the PE-2 access list.

Facilities count Total number of in-scope facilities (primary + alternate + telework typical-locations if quantified).

Visitor volume (approximate) Order-of-magnitude visitors per month (anchors visitor-log review effort).

Telework users in scope Approximate count of users on telework arrangement (PE-17).

Physical-and-Environmental Metrics & KPIs → §6.x

Metrics tracked to demonstrate PE control effectiveness.

Tracked metrics

Add item

Suggested: + Badge-access denial rate (target: 0 unauthorized attempts succeeding) + Lost / stolen badge incidents per quarter (trend) + Visitor-log completeness rate (% of entries with all required fields) + Tailgating incidents detected per quarter + Environmental alarm count by category (fire / temp / humidity / water) + Generator test result (last cycle pass / fail) + Fire-suppression inspection currency rate + Telework-safeguard self-attestation completion rate + Open POA&M items linked to PE controls + Provider control-effectiveness review completion (FedRAMP / SOC 2)

Provider Assurance Verification → §6.x

How inherited controls are verified for systems hosted in cloud / colocation.

Provider-audit review cadence How often the provider's FedRAMP package / SOC 2 report is reviewed for control effectiveness (typically annual at report receipt).

Provider-side change notification monitoring How significant changes to provider environment are tracked (FedRAMP CSP change notices, provider service-health channels, vendor-incident notifications).

Shared-responsibility matrix reference Pointer to the shared-responsibility / customer-responsibility matrix for the provider (e.g., 'AWS GovCloud CRM rev 2025-Q1 at /repo/compliance/aws-crm.pdf').

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the PE control implementations are summarized (e.g., 'SSP §13.9').

POA&M ID prefix for PE findings Convention for PE-related POA&M items (e.g., 'POAM-PE-' for general).

PS handoff How PS-3 personnel screening underwrites PE-2 access authorization. Specifically the trigger that updates the PE-2 list when a screening lapses.

MA handoff How PE-3 escort policy applies to MA-5 maintenance personnel. Coordination of vendor-visit windows.

MP handoff How PE-16 delivery / removal procedures apply to media transport (MP-5).

CP handoff How PE environmental controls underwrite CP-2 contingency-plan assumptions about facility availability. Where alternate-facility (PE primary's DR) lives in the CP plan.

IR handoff How physical-access incidents (unauthorized entry, environmental alarms) escalate into the IR plan workflow.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying PE continuous-monitoring metrics to the broader ConMon plan.