1909 Physical and Environmental Protection Policy

Georgia State Seal

Department of Human Services
Online Directives Information System

Index:

POL1909

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

This policy establishes the Enterprise Physical and Environmental Protection Policy, for mitigating the risks from physical security and environmental threats through the establishment of an effective physical security and environmental controls program. The physical security and environmental controls program helps DHS protect its Information Technology Assets from Physical and Environmental threats.

Authority

  1. United States Department of Commerce National Institute for Standards and Technology (NIST)

  2. United States Internal Revenue Service

  3. United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)

  4. United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)

  5. Georgia Technology Authority

  6. Social Security Administration

  7. Federal Bureau Investigation (Criminal Justice Information Services)

References

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Responsibilities

DHS shall adopt the Physical and Environmental Protection principles established in NIST SP 800-53 “Physical and Environmental Protection,” Control Family guidelines, as the official policy for this domain. The following subsections outline the incident management standards that constitute DHS policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related the standards documented.

PE-1 Physical and Environmental Protection Procedures

  1. Develop, document, and disseminate to designated agency personnel:

    1. All organizational level physical and environmental protection policy that:

      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the physical and environmental control policy and the associated controls.

  2. Designate an agency official to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

  3. Review and update the current physical and environmental protection control:

    1. Policy every one (1) year (or if there is a significant change); and

    2. Procedures every one (1) year, (or when there is a significant change).

PE-2 Physical Access Authorizations

  1. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;

  2. Issue authorization credentials for facility access;

  3. Review the access list detailing authorized facility access by individuals at least every six (6) months; and

  4. Remove individuals from the facility access list when access is no longer required.

PE-3 Physical Access Control

  1. Enforce physical access authorizations at entry/exit points to facilities where the information systems that receive, process, store, access, or transmit CUI by:

    1. Verifying individual access authorizations before granting access to the facility; and

    2. Controlling ingress and egress to the facility using organization-defined physical access control systems or devices and/or guards.

  2. Maintain physical access audit logs for organization-defined entry or exit points;

  3. Control access to areas within the facility designated as publicly accessible by implementing the following controls: organization-defined physical access controls.

  4. Escort visitors and control visitor activity in accordance with agency policies (e.g., personnel and physical security);

  5. Secure keys, combinations, and other physical access devices;

  6. Inventory organization-defined physical access devices every ninety (90) days; and

  7. Change combinations and keys at least annually and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

PE-4 Access Control for Transmission Medium

Control physical access to information system distribution and transmission lines within agency facilities using physical security safeguards.

PE-5 Access Control for Output Devices

  1. Control physical access to output from output devices (e.g., monitors, printers, and audio devices) to prevent unauthorized individuals from obtaining the output.

PE-6 Monitoring Physical Access

  1. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;

  2. Review physical access logs at a minimum monthly and upon occurrence of a potential indication of an event; and

  3. Coordinate results of reviews and investigations with the organizational incident response capability.

PE-6 (1) Intrusion Alarms and Surveillance Equipment:

Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.

PE-8 Visitor Access Records

  1. Maintain visitor access records to the facility where the system resides for five (5) years;

  2. Review visitor access records at least monthly; and

  3. Report anomalies in visitor access records to agency-defined personnel.

PE-9 Power Equipment and Cabling Control

Protect power equipment and power cabling for the system from damage and destruction.

PE-10 Emergency Shutoff

  1. Provide the capability of shutting off power to an organization-defined system or individual system components in emergency situations;

  2. Place emergency shutoff switches or devices in an organization-defined location by system or system component to facilitate access for authorized personnel; and

  3. Protect emergency power shutoff capability from unauthorized activation.

PE-11 Emergency Power

Provide an uninterruptible power supply to facilitate an orderly shutdown of the system, or transition of the system to long-term alternate power, in the event of a primary power source loss.

PE-12 Emergency Lighting

Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

PE-13 Fire Protection

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

PE-13 (1) Automatic Activation and Notification

Employ fire detection systems that activate automatically and notify organization-defined personnel or roles and defined emergency responders in the event of a fire.

PE-14 Environmental Controls

  1. Maintain temperature, humidity, and pressure levels at acceptable vendor-specified levels within the facility where the system resides; and

  2. Monitor environmental control levels within the defined frequency.

PE-15 Water Damage Protection

Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel

PE-16 Delivery and Removal

  1. Authorize and control all information system components that receive, store, process, transmit CUI entering and exiting the facility; and

  2. Maintain records of the system components.

PE-17 Alternate Work Site

  1. Determine and document the agency permitted alternate work sites allowed for use by employees;

  2. Employ information system security and privacy controls at alternate work sites;

  3. Assess the effectiveness of security and privacy controls at alternate work sites; and

  4. Provide a means for employees to communicate with information security and privacy personnel in case of security or privacy incidents.

History

Date Change User Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

  1. Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.

  2. Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.