Getting your Office Physical Controls FISMA Ready


If you are currently or aim to be a FISMA compliant organization and are looking to relocate, this is the ideal time to build physical security controls into your space. It is always easier and less costly to do before the build out. Of course, if you already have your office space, you will need to do some retrofitting, but it is always a good time to enhance current controls or get rid of some of those accepted risks! Either way, the following is a handy 12 point guide to the types of things to consider to make your office compliant with key physical FISMA controls, aka Physical and Environmental (PE) and Media Protection (MP) moderate based controls.

  1. Data Center walls should go floor to the true ceiling. This would prevent someone from lifting up the ceiling tiles and climbing into the Data Center.
  2. Server Room (Data Center) should have a lock with the ability to track access. Communication closets, telephone rooms, electrical rooms and areas where media are stored should have locks as well.
  3. Temperature and Humidity Control and monitoring is required in Data Centers. If your system provides the control without monitoring mechanisms, you can install an inexpensive hydrometer with temperature and humidity gauges for under ten dollars.
  4. Water Damage Protection is required in the Data Center (accessible shutoff valves can satisfy this).
  5. You will need to have a fire suppression and detection system (sprinklers or other fire suppression, smoke detectors and fire extinguishers) and need smoke detectors that will notify emergency responders without manual intervention. (The alarms would have to automatically notify the fire department in the event of a fire.)
  6. Uninterruptable power supply should be in place to prevent surges and server outage and to allow shutdown of servers. An emergency shutoff switch must be accessible and secured with limited access.
  7. Emergency power and lighting should be in place for evacuation. This should be included in hallways, stairwells and your Data Center.
  8. Storage Bins for “shredding” should be in place for all areas that process sensitive data.
  9. When allocating space, always plan for segregating staff that work with privacy data away from other projects via a locked door or access point if possible. If not, consider placing this staff in an area where access by others is limited.
  10. Physical access controls would be required for any output device (printers and screens near viewable areas) and transmission media that process/display privacy data. For example, windows on the first floor must be shielded, or screen protectors are required if privacy data is processed on machines on the first floor near windows.
  11. Cameras at all ingress and egress points and at entrance to Data Center are required. Also consider putting a camera near work areas where privacy data is processed.
  12. Visitor control via badge system or escort process is a must! All visitors must be logged, and make sure your guards and/or front desk staff are trained to ask for identification.