PES-06.2: Identification Requirement
Physical access control mechanisms exist to requires at least one(1) form of government-issued or organization-issued photo identification to authenticate individuals before they can gain access to the facility.
Control Question: Does the organization require at least one (1) form of government-issued or organization-issued photo identification to authenticate individuals before they can gain access to the facility?
General (11)
| Framework | Mapping Values |
|---|---|
| MPA Content Security Program 5.1 | PS-1.1 |
| NIST 800-53 R4 | PE-2(2) |
| NIST 800-53 R5 (source) | PE-2(2) |
| NIST 800-53 R5 (NOC) (source) | PE-2(2) |
| NIST 800-171 R3 (source) | 03.10.07.c |
| PCI DSS 4.0.1 (source) | 9.3.2 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 9.3.2 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 9.3.2 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | PES-06.2 |
| SCF CORE ESP Level 2 Critical Infrastructure | PES-06.2 |
| SCF CORE ESP Level 3 Advanced Threats | PES-06.2 |
US (2)
| Framework | Mapping Values |
|---|---|
| US NERC CIP 2024 (source) | CIP-006-6 2.2 |
| US - OR 646A | 622(2)(d)(C)(ii) |
EMEA (3)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia SACS-002 | TPC-47 |
| EMEA Spain CCN-STIC 825 | 8.1.2 [MP.IF.2] |
| EMEA UK DEFSTAN 05-138 | 1503 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.10.07.C |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to requires at least one (1) form of government-issued or organization-issued photo identification to authenticate individuals before they can gain access to the facility.
Level 1 — Performed Informally
Physical & Environmental Security (PES) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Physical access control is decentralized.
- Physical security controls are primarily administrative in nature (e.g., policies & standards), focusing on protecting High Value Assets (HVAs).
- Human Resources, or a similar function, maintains a current list of personnel and facilitates the implementation of physical access management controls.
Level 2 — Planned & Tracked
Physical & Environmental Security (PES) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Physical access control is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for physical access control.
- Human Resources, or a similar function, maintains a current list of personnel with authorized access to organizational facilities and facilitates the implementation of physical access management controls.
- Physical security controls are primarily administrative in nature (e.g., policies & standards).
- Physical controls, administrative processes and technologies are primarily designed and implemented for offices, rooms and facilities that focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
- A facilities maintenance team, or similar function, manages the operation of automated physical and environmental protection controls.
- Administrative processes require at least one (1) form of government-issued or organization-issued photo identification to authenticate individuals before they can gain access to the facility.
Level 3 — Well Defined
Physical & Environmental Security (PES) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Performs the centralized-management of physical security controls across the enterprise. o Maintains a current list of personnel with authorized access to organizational facilities and implements physical access management controls.
- A physical security team, or similar function:
- A facilities maintenance team, or similar function, manages the operation of environmental protection controls.
- Administrative processes exist to authorize physical access to facilities based on the position or role of the individual.
- Administrative processes and physical controls restrict unescorted access to facilities to personnel with required security clearances, formal access authorizations and validated the need for access.
- Administrative processes require at least one (1) form of government-issued or organization-issued photo identification to authenticate individuals before they can gain access to the facility.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to requires at least one (1) form of government-issued or organization-issued photo identification to authenticate individuals before they can gain access to the facility.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to requires at least one (1) form of government-issued or organization-issued photo identification to authenticate individuals before they can gain access to the facility.
Assessment Objectives
- PES-06.2_A01 a list of acceptable forms of identification for visitor access to the facility where the system resides is defined.
- PES-06.2_A02 two forms of identification are required from list of acceptable forms of identification for visitor access to the facility where the system resides.