Skip to main content

RMH Chapter 11: Physical & Environmental Protection

RMH Chapter 11 provides information about the Physical and Environmental Protection (PE) control family that supports system lifecycles

Last reviewed: 3/23/2021

Contact: ISPG Policy Team | CISO@cms.hhs.gov

Related Resources

Introduction

This Handbook outlines procedures to help CMS staff and contractors implement the Physical and Environmental Protection family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 and tailored to the CMS environment in the CMS Acceptable Risk Safeguards (ARS). For more guidance on implementing CMS policies and standards across many cybersecurity topics, see the CMS Security and Privacy Handbooks. 

The controls listed in this chapter focus on how the organization must: ensure that information systems are protected by limiting physical access to information systems, equipment, and the respective operating environments to only authorized individuals; protect the physical plant and support infrastructure for information systems; provide supporting utilities for information systems; protect information systems against environmental hazards; and provide appropriate environmental controls in facilities containing information systems. Procedures in this chapter describe requirements for physical access, access control, records management, emergency protections, and physical locations of systems, with regard to physical and environmental protection.

Physical and Environmental Protection

Physical Access Authorizations (PE-2)

The Physical Access Authorizations control includes employees, contractors, and others with permanent physical access authorization credentials; this control does not apply to visitors or areas within facilities that have been designated as publicly accessible. Access authorization credentials include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials required consistent with federal standards, policies, and procedures. Homeland Security Presidential Directive 12 (HSPD-12) is a strategic initiative intended to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. HSPD-12 requires development and agency implementation of a mandatory, governmentwide standard for secure and reliable forms of identification for federal employees and contractors requiring physical access to federally controlled facilities and logical access to federally controlled information systems.

Guidance for systems processing, storing, or transmitting PHI:

Under the HIPAA Security Rule, this is an addressable implementation specification. HIPAA covered entities must conduct an analysis as described at 45 C.F.R. § 164.306 (Security standards: General rules) part (d) (Implementation specifications) to determine how it must be applied within the organization. Maintaining a current list of personnel that are authorized to access facilities where sensitive information is located protects the information from unauthorized access. For the purposes of this control, “sensitive information” includes personally identifiable information (PII) and protected health information (PHI). The table below outlines the CMS defined parameters for PE-2.

Table 3: CMS Defined Parameters- Control PE-2

Control Control Requirement CMS Parameter
PE-2

The organization:

 c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; 

The organization: 

c. Reviews the access list detailing authorized facility access by individuals every (90 High, 180 Moderate, 365 Low) days;

CMS develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; issues authorization credentials for facility access; reviews the access list detailing authorized facility access by individuals; and removes individuals from the facility access list when access is no longer required. Federal regulations require that the Physical Access Control System (PACS) utilize the HSPD-12 credential, commonly referred to as Personal Identity Verification (PIV), to control physical access. PIV credentials at CMS are maintained through the use of PACS. PACS enables an authority to control physical access to areas and resources in a given physical facility. PIV credentials for physical access are valid for no more than 5 years and 9 months but must be surrendered or canceled when access is no longer officially required. There is no requirement for a periodic reinvestigation to maintain a PIV credential.

In accordance with Federal Information Processing Standards (FIPS)-201-26 Personal Identity Verification (PIV) of Federal Employees and Contractors, these permissions must be removed from the credential within 18 hours of a change in cardholder status, resulting in loss of the access privilege. For physical access authorization to controlled areas, PACS Central within the Physical Access Management (PAM) system is to be used to submit a request. The request is then routed to the Access Authority of that area for authorization. The Access Authority for each area maintains the list of individuals with authorized access, performing reviews every 90 days.  

Physical Access Control (PE-3)

Physical Access Control applies to organizational employees and visitors without permanent physical access-authorization credentials. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Identity, credential, and access management (ICAM) comprises the tools, policies and systems that allow an organization to manage, monitor and secure access to protected resources. The Federal ICAM (FICAM) program, managed by General Services Administration (GSA) Office of Information Integrity and Access, provides collaboration opportunities and guidance on IT policy, standards, implementation and architecture, to help federal agencies implement ICAM. The table below outlines the CMS defined parameters for PE-3.

Table 4: CMS Defined Parameters- Control PE-3

Control Control Requirement CMS Parameter
PE-3

The organization: 

a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 

2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; 

b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; 

c. Provides [Assignment: organization defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; 

d. Escorts visitors and monitors visitor activity [Assignment: organization defined circumstances requiring visitor escorts and monitoring]; 

f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and 

g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

The organization: 

a. Enforces physical access authorizations at defined entry/exit points to the facility (defined in the applicable security plan) where the information system resides by; 

2. Controlling ingress/egress to the facility using guards and/or defined physical access control systems/devices (defined in the applicable security plan). 

b. Maintains physical access audit logs for defined entry/exit points (defined in the applicable security plan); 

c. Provides defined security safeguards (defined in the applicable security plan) to control access to areas within the facility officially designated as publicly accessible; 

d. Escorts visitors and monitors visitor activity in defined circumstances requiring visitor escorts and monitoring (defined in the applicable security plan); 

f. Inventories defined physical access devices (defined in the applicable security plan) no less often than every (90 High, 90 Moderate, or 180 Low) days; and 

g. Changes combinations and keys for defined high-risk entry/exit points (defined in the applicable security plan) within every 365 days, and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated

CMS enforces physical access control by promoting a secure location, protected with appropriate security structures and entry controls. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both.

Safeguards include:

  • Verifying individual access authorizations before granting access to the facility;
  • Controlling ingress/egress to the facility using guards and/or defined physical access control systems/devices; and 
  • Maintaining physical access audit logs for defined entry/exit points. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.

Safeguards include:

  • Providing defined security safeguards to control access to areas within the facility officially designated as publicly accessible; and
  • Escorting visitors and monitoring visitor activity in defined circumstances requiring visitor escorts and monitoring. A CMS employee or authorized contractor (i.e., contractor with escort privileges) who is in possession of a valid, CMS issued badge assumes responsibility for a visitor to CMS facilities.

Note: All foreign national visits require prior approval and will be assigned a “host” who will be responsible for ensuring that the visit is in full compliance with applicable policies and procedures. Physical access control devices can include keys, locks, combinations, and card readers.

Safeguards include:

  • Securing keys, combinations, and other physical access devices; changing combinations and keys for defined high-risk entry/exit points as required, and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated; and
  • Maintaining inventory of defined physical access devices, as required.

Information System Access (PE-3(1))

Physical access authorizations are enforced, in addition to physical access controls, for those secure areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communication centers). The table below outlines the CMS defined parameters for PE-3(1).

Table 5: CMS Defined Parameters-Control PE-3(1)

Control Control Requirement CMS Parameter
PE-3(1)The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at defined physical spaces (defined in the applicable security plan) containing a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers, etc.).

CMS enforces physical access authorizations at physical spaces that contain information system components to provide an adequate level of security to protect CMS data and information systems from unauthorized access. Physical access authorizations include:

  • Controlling access by the use of door and window locks and security personnel or physical authentication devices, such as biometrics and/or smart card/PIN combination; and
  • Storing and operating information system components in physically secure environments with access limited to authorized personnel.

At CMS, personnel are required to obtain an upgraded background investigation and approval by Department of Public Safety (DPS) for authorization.

Access Control for Transmission Medium (PE-4)

A transmission medium is the means through which data is sent from one place to another, using cables or electromagnetic signals to transmit data. Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. These applied safeguards also help to prevent eavesdropping or unauthorized transit modification of unencrypted transmissions. The table below outlines the CMS-defined parameters for PE-4.

Table 6: CMS Defined Parameters- Control PE-4

Control Control Requirement CMS Parameter
PE-4The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].The organization controls physical access to telephone closets and information system distribution and transmission lines within organizational facilities using defined security safeguards (defined in the applicable security plan).

CMS implements security safeguards to control physical access to information system distribution and transmission lines. Safeguards include: 

Storing information system distribution and transmission lines in authorized access areas. Access is limited to authorized personnel to prevent theft, vandalism and undocumented changes. Contact based card readers, pins, and/or security guards control physical access.

Encasing transmission lines by metal conduit, which is capable of shielding sensitive circuits from electromagnetic interference, in an effort to prevent accidental damage, eavesdropping and disruption.

Disabling unused physical ports is a method used to help secure the network from unauthorized access.

Access Control for Output Devices (PE-5)

Controlling physical access by placing output devices in secured areas, allowing access to authorized individuals, and placing output devices in monitored locations prevents unauthorized individuals from obtaining the output. Printers, copiers, scanners and monitors are examples of information system output devices.

Printers:

CMS provides personal printers to support individual users and network printers that are accessible by network connection. Each CMS employee, with an assigned office or cubicle, is issued a personal printer for use. This printer can only be used when the laptop is in the computer docking station. Network printers are shared output devices used amongst CMS employees and Contractors that have CMS issued laptops. Safeguards include:

  • Setting up devices to automatically print cover pages, also known as separator pages, with each print job. These cover pages contain useful information, such as the 4-character CMS user identification (ID), which can be used to identify the originator of the print job.
  • Configuring devices to ensure data is not saved or stored within the device once the print job is cleared out of the print queue.

Print at home capabilities are available for CMS employees who have a need to print documents while at an Alternative Duty Station (ADS). Completion and submission of the Print at Home Agreement allows the employee to connect his or her personally owned Universal Serial Bus (USB) printer (parallel cables and wireless printers are not supported) to the CMS issued laptop and install the printer drivers and print documents. By signing this agreement, CMS employees are attesting to: • Ensure that CMS information is protected from unauthorized access, use, disclosure, duplication, modification, diversion, or destruction—whether accidental or intentional – in order to maintain confidentiality, integrity, and availability; • Implement proper physical security measures to be used to secure hardcopy documents, containing confidential, sensitive or proprietary information used by CMS to fulfill its mission;   

Maintain all information and/or media containing confidential data such as paper and files in a secure location or locked cabinet when not in use. CMS documents containing protected health information (PHI), personally identifiable information (PII) or other sensitive data may not be printed using your home printer; and

Securely store any documents printed at home and to return documents to CMS for proper disposition (e.g., filing, shredding). (RMH Chapter 10: Media Protection provides additional information on media sanitization.)

Copier/Scanner devices:

Located in designated rooms throughout CMS, copier/scanner devices allow a full range of capabilities necessary to manage internal documents. Safeguards include:

  • Requiring the use of PIV Credentials for copying and scan-to-email capabilities. Devicebased login is an effective way to control who can access and use the device and to manage and limit user access according to job responsibilities. 
  • Configuring devices to ensure data is not saved or stored within the device beyond the completion of the copier/scanner action.

Monitors:

CMS complies with the Rules of Behavior for Use of Health and Human Services Information Resources (HHS RoB) which includes the general security practice of locking workstations and removing PIV cards from laptops when leaving them unattended. All new users of HHS information resources must read the HHS RoB and sign the accompanying acknowledgement form before accessing data or other information, systems, and/or networks. This acknowledgement, affirming their knowledge of and agreement to the HHS RoB, must be completed annually thereafter. CMS users are offered two primary methods to lock the laptop:

  • Use the Ctrl + Alt + Delete command and select “Lock”; or
  • Use the “Lock Computer” shortcut. This shortcut is installed on the Desktop of CMS issued laptops.

CMS issued laptops are configured to automatically lock after 20 minutes of inactivity; in screen lock settings, this “Wait” time cannot be changed by the user.

Monitoring Physical Access (PE-6)

Physical access monitoring includes investigations of and responses to detected physical security incidents. Physical security incidents include security violations or suspicious physical access activities such as accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses. The table below outlines the CMS defined parameters for PE-6.

Table 7: CMS Defined Parameters- Control PE-6

Control Control Requirement CMS Parameter
PE-6

The organization: 

b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and 

The organization: 

b. Reviews physical access logs weekly and upon occurrence of security incidents or indications of potential events involving physical security; and 

CMS monitors physical access to the facility where the information system resides to detect and respond to physical security incidents. Security staff provides real-time monitoring, 24 hours per day, 7 days a week, and 365 days a year, for potential security breaches or disturbances. Response plans, that outline the method for responding, are used for identified physical security incidents.

Information retained within CMS’s electronic security system is intended for security purposes only. There are instances when the information collected within these security systems could prove valuable in both criminal and administrative proceedings. Due to the sensitive nature of the information retained, it cannot be released to anyone without regards to the privacy of the individuals contained within. CMS applies the following rules for the release of security information:

  • Criminal Evidence: Information that may be used as evidence in criminal proceedings will only be released upon the request of a duly authorized law enforcement entity. This information includes video of a traffic accident in a parking lot, record of entry into a controlled access location, and video of an altercation.
  • Administrative Evidence: Requests for information that may be used as evidence in administrative proceedings will only be considered from managers, as it applies to a member of their organization, or a member of the Division of Workforce Compliance. A member of the security team or individual entrusted with the retention of security information will review the system to meet the specific request. Only the specifically requested information will be provided. For example, if management wanted to determine if a specific employee reported to work over a particular weekend, the security official could review logs from the weekend and inform the manager that the employee did or did not sign in over the weekend and if so, what times. The security official is not to release all of the logs to the manager for the manager’s own review. 

7.5.1 Intrusion Alarms/Surveillance Equipment (PE-6 (1))

Intrusion alarms and surveillance equipment work in tandem with physical access controls to alert security personnel when unauthorized access is attempted. Monitoring of this equipment is useful for incident verification. CMS’s intrusion alarms and surveillance equipment are linked to the PAM system. CMS’s video surveillance systems maintain a 14 day recorded video capability.

Monitoring Physical Access to Information Systems (PE-6 (4))

Physical spaces within facilities that contain one or more information system components (e.g., server rooms, media storage areas, data centers, communications centers) requires additional physical access monitoring. The table below outlines the CMS defined parameters for PE-6(4).

Table 8: CMS Defined Parameters-Control PE-6(4)

Control Control Requirement CMS Parameter
PE-6(4)The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].The organization monitors physical access to the information system, in addition to the physical access monitoring of the facility, at defined physical spaces (defined in the applicable security plan) containing a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers, etc.).

CMS provides monitoring to defined physical spaces by the use of additional access card readers restricting access to only authorized personnel. Further measures can include the use of mantraps, which are a physical access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens.

Visitor Access Records (PE-8)

Visitor access records include the recording and collection of visitor data, either manually or through electronic visitor management systems, or both. Visitor access records are not required for publicly accessible areas. The table below outlines the CMS defined parameters for PE-8.

Table 9: CMS Defined Parameters- Control PE-8

Control Control Requirement CMS Parameter
PE-8

The organization: 

a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and 

b. Reviews visitor access records [Assignment: organization-defined frequency].

The organization: 

a. Maintains visitor access records to the facility where the information system resides for two (2) years; and

b. Reviews visitor access records no less often than monthly.

CMS adheres to the retention schedule found in National Archives and Records Administration (NARA) General Records Schedule (GRS) 5.6: Security Records for maintaining visitor access records at the facility for 2 years. In addition, visitor access records are reviewed every 30 days. Visitor access records consist of the following data:

  • Name and organization of the person visiting;
  • Visitor’s signature;
  • Form of identification/Valid U.S. Government issued photo identification;
  • Date of access;
  • Time of entry and departure;
  • Purpose of visit; and
  • Name and organization of person visited.

Automated Records Maintenance/Review (PE-8 (1))

Maintenance and review of visitor access records are enabled by automated mechanisms that aid in the capture and management of records. CMS uses PAM, which contains multiple modules to perform security tasks, including visitor management.

Power Equipment and Cabling (PE-9)

Organizations are responsible for determining the types of protection that are needed to protect power equipment and power cabling from damage and destruction. This protection occurs at different locations (both internal and external to organizational facilities) and environments of operation. Examples of power equipment and cabling include generators and power cabling outside of facilities, internal cabling and uninterruptable power sources within offices or data centers, and power sources for self-contained entities such as vehicles and satellites. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100), as amended. Infrastructure assets are protected by restricting access and by the use of environmental detection devices. CMS permits only authorized personnel to access infrastructure assets, including power generators, heating, ventilation, and air conditioning (HVAC) systems, cabling, and wiring closets.

Emergency Shutoff (PE-10)

Emergency shutoff switches or devices provide the capability of shutting off power to the information system or individual system components in emergency situations. Placing these shutoff switches or devices in a location that will allow for personnel to approach the shutoff switch(es) safely permits easy access in emergency situations without risk to the individual and protects the emergency power shutoff capability from unauthorized or inadvertent activation. The table below outlines the CMS defined parameters for PE-10.

Table 10: CMS Defined Parameters- Control PE-10

Control Control Requirement CMS Parameter
PE-10

The organization:

 b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; 

The organization: 

b. Places emergency shutoff switches or devices in a location that does not require personnel to approach the equipment to facilitate safe and easy access for personnel; 

CMS implements and maintains emergency shutoff switches or emergency power off (EPO) buttons as a safety mechanism that can be used to shut power off from the information system or from individual system components in an emergency. These clearly marked shutoff devices are installed at the exit doors.

Emergency Power (PE-11)

Emergency power, using a short-term, uninterruptible power supply (UPS) permits an orderly shutdown of the information system and/or transition of the information system to a long-term alternate power supply in the event of a primary power source loss. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100), as amended. The table below outlines the CMS defined parameters for PE-11.

Table 11: CMS Defined Parameters- Control PE-11

Control Control Requirement CMS Parameter
PE-11The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source lossThe organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system and/or transition of the information system to a long-term alternate power source in the event of a primary power source loss.

CMS provides a short-term UPS that provides emergency power when the input power source or main power fails. The UPS provides near-instantaneous protection from input power interruptions, by supplying energy stored in batteries. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management.

Long-Term Alternate Power Supply - Minimal Operational Capability (PE-11 (1))

Long-term alternate power supply for the information system provides the capability of maintaining minimally required operational capability in the event of an extended loss of the primary power source. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100), as amended. CMS has on-site, diesel-powered generators that are capable of providing a long-term alternate power supply. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.

Emergency Lighting (PE-12)

Automatic emergency lighting that activates and covers emergency exits and evacuation routes is crucial to ensure adequate illumination in the event of a power outage or disruption. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100), as amended. CMS employs and maintains emergency lighting, that activates in the event of a power outage or disruption, and that covers emergency exits and evacuation routes within the facility. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment. 

Fire Protection (PE-13)

Fire protection includes devices and systems that are effective in detecting, extinguishing, or controlling a fire event. Preventing fires or limiting damage can ensure work operations continue without interruption. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100), as amended. CMS’s fire protection devices and systems, supported by independent energy sources, work to detect, notify and compartmentalize or suppress the unwanted effects of potentially destructive fires. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.

Detection Devices/Systems (PE-13(1))

Detection devices/systems automatically activate to notify personnel and emergency responders in the event of a fire. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100), as amended. The table below outlines the CMS defined parameters for PE-13(1).

Table 10: CMS Defined Parameters-Control PE-13(1)

Control Control Requirement CMS Parameter
PE-13(1)The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organizationdefined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.The organization employs fire detection devices/systems for the information system that activate automatically and notify defined personnel or roles (defined in the applicable security plan) and defined emergency responders (defined in the applicable security or safety plan) in the event of a fire

CMS’s detection system is comprised of a networked series of fire alarm panels, annunciator panels, addressable audible and visual alarms and initiating devices including smoke detectors, heat detectors, and pull stations.

Suppression Devices/Systems (PE-13(2))

Fire suppression devices/systems provide automatic activation notification to specific personnel, roles, and emergency responders. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)17, as amended. The table below outlines the CMS defined parameters for PE-13(2).

Table 11: CMS Defined Parameters- Control PE-13(2)

Control Control Requirement CMS Parameter
PE-13(2)The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to defined personnel (or roles) and defined emergency responders (defined in the applicable security or safety plan)

CMS employs a monitored fire alarm system that notifies critical parties (e.g., CMS’s Network Command Center (NCC), designated personnel, emergency services/local fire department) as soon as detection devices or systems have been activated.

Automatic Fire Suppression (PE-13(3))

Automatic fire suppression systems have the capability to control and extinguish fires without human intervention. Options for automatic suppression systems include:

  • Aqueous systems (e.g., wet-pipe sprinkler system); and
  • Gaseous systems (e.g., clean agent system) CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)18, as amended.

Wet-pipe sprinkler systems are installed at CMS facilities. The sprinkler system is heat-activated and responds with water suppression only in the area(s) where heat is detected.

Temperature and Humidity Controls (PE-14)

Environmental conditions can pose a threat to the hardware of the network. Maintaining recommended temperature and humidity levels in the data center can reduce unplanned downtime caused by environmental conditions. Maintaining and monitoring levels of temperature and humidity where the information system resources (e.g., data centers, server rooms) reside is critical to system reliability. High temperatures can cause equipment to overheat and malfunction. If the relative humidity levels are too high, water condensation can occur which results in hardware corrosion and early system and component failure. If the relative humidity is too low, computer equipment becomes susceptible to electrostatic discharge (ESD) which can cause damage to sensitive components. The table below outlines the CMS defined parameters for PE-14.

Table 14: CMS Defined Parameters- Control PE-14

Control Control Requirement CMS Parameter
PE-14

The organization: 

a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and 

b. Monitors temperature and humidity levels [Assignment: organization defined frequency].

The organization: 

a. Maintains temperature and humidity levels within the facility where the information system resides within acceptable vendor-specified levels; 

b. Monitors temperature and humidity levels within the defined frequency (defined in the applicable security plan);

Temperature and humidity levels are maintained within the vendor-specified levels for optimal system reliability. Zone temperature sensors and humidity sensors are used for continuous monitoring. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.

Water Damage Protection (PE-15)

Shut-off valves help prevent water damage by closing off the water supply. Main shut-off or isolation valves can be used to protect the information system resources from damage resulting from water leakage. Isolation valves are used to shut off water supplies at a specific location, usually for maintenance or safety purposes, and can be employed in addition to or in lieu of main shutoff valves. CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)19, as amended. CMS protects the information system resources from water damage resulting from broken plumbing lines or other sources of water leakage by providing main shut-off valves or isolation valves that are accessible, functional, and known to key personnel. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.

Automation Support (PE-15 (1))

Automated mechanisms (e.g., water detection sensors, alarms and notification systems) are used to detect and provide an alert to the presence of water near the information system. The table below outlines the CMS defined parameters for PE-15(1).

Table 12: CMS Defined Parameters-Control PE-15(1)

Control Control Requirement CMS Parameter
PE-15(1)The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles].The organization employs automated mechanisms to detect the presence of water near the information system and alerts defined personnel or roles (defined in the applicable security plan)

CMS uses water detection sensors to detect water from environmental events (e.g., floods), as well as from equipment failure, leaks and broken pipes. CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.

Delivery and Removal (PE-16)

Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. The table below outlines the CMS defined parameters for PE-16.

Table 17: CMS Defined Parameters- Control PE-16

Control Control Requirement CMS Parameter
PE-16The organization authorizes, monitors, and controls [Assignment: organization defined types of information system components] entering and exiting the facility and maintains records of those items.The organization authorizes, monitors, and controls the flow of all information system-related components entering and exiting the facility and maintains records of those items

CMS authorizes, monitors and controls the flow of information system-related components entering and exiting the facility through the use of procedures which include controlled access to the facility, secure storage and the maintenance of entry/exit records.

Alternate Work Site (PE-17)

Alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. There is a direct relationship between an agency’s Continuity of Operations (COOP) plan and telework. Both programs, telework and COOP, share a basic objective: to perform and maintain agency functions from an alternative location. Telework can help ensure that essential Federal functions continue through hazardous weather, pandemic, physical attacks, or any other event that would result in the closure of Government facilities. The Telework Enhancement Act of 2010 provides a framework for agencies to better leverage technology and to maximize the use of flexible work arrangements, including those involving emergency situations. The table below outlines the CMS defined parameters for PE-17.

Table 18: CMS Defined Parameters- Control PE-17

Control Control Requirement CMS Parameter
PE-17

The organization: 

a. Employs [Assignment: organization defined security controls] at alternate work sites;

The organization: 

a. Employs appropriate security controls at alternate work sites to include, but not to be limited to, requiring the use of laptop cable locks, recording serial numbers and other identification information about laptops, and disconnecting modems at alternate work sites;

The CMS telework program is a valuable tool to meet mission objectives. CMS’s policy that governs telework is located in the Master Labor Agreement (MLA), Article 29: Telecommuting Programs.

Participation in the CMS telework program is voluntary. A completed telework agreement between the employee and CMS is required for participation. Employees with a valid telework agreement may be required by CMS to telecommute at an approved ADS in the instances of: a full day building closure; an early building closure for non-weather related reasons; or a delayed opening (e.g., inclement weather or in other emergencies). CMS may also require telework employees to work at an ADS when a COOP is in effect. Per Office of Personnel Management (OPM), there is no Federal statute or regulation that specifically prohibits Federal contractors from teleworking. The decision to allow a contractor to telework would be made by the contractor’s supervisor and/or in conjunction with CMS. CMS employs appropriate security controls at alternate work sites. Security controls include technology-enforced protection such as Virtual Private Network (VPN) technology, multi-factor authentication, anti-virus software, and encryption. In addition, procedures, including the HHS RoB, which applies to remote use of HHS information (in both electronic and physical forms) and information systems, rely on users to follow rules or perform certain steps that are not necessarily enforced by technical means For security incidents, contact the CMS IT Service Desk by calling (410) 786-2580 or (800) 562- 1963; or by sending an email to cms_it_service_desk@cms.hhs.gov to open a ticket.

Location of Information System Components (PE-18)

Positioning the information system components within the facility is critical to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. The location of physical entry points should be considered where unauthorized individuals, while not being granted access, might be in close proximity to information systems. This increases the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). The table below outlines the CMS defined parameters for PE-18.

Table 19: CMS Defined Parameters- Control PE-18

Control Control Requirement CMS Parameter
PE-18The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards, and to minimize the opportunity for unauthorized access.

CMS positions the information system components to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. Considerations when positioning information system components include: 

  • Security: layered security consists of access card readers, mantraps, video surveillance and/or security staff 
  • Fire protection: fire protection systems, as well as implementation of fire prevention programs in operations 
  • Electrical power: proven and reliable power grid with backup power that consists of one or more UPS, in addition to battery banks and generators. 
  • Geographic location: probability and frequency of natural disasters, extreme weather, and seismic activity to occur at a specific location. 
  • Structural design: techniques that can be used to make the actual data center resistant to physical attacks (e.g., reinforced with steel and concrete) 

In addition, the raised floor space, air conditioning support, UPS, generators, and related support equipment must be coordinated with the other areas of the facility and properly positioned within the facility’s perimeter in order to improve their interaction. 

Applicable Laws and Guidance 

The Applicable Laws and Guidance appendix provides references to both authoritative and guidance documentation supporting the “document.” Subsections are organized to “level of authority” (e.g., Statutes take precedence over Federal Directives and Policies). 

Statutes 

Health Insurance Portability and Accountability Act of 1996 (HIPAA) 

Federal Directives and Policies 

FedRAMP Rev. 4 Baseline 

Homeland Security Presidential Directive 12 

U.S. General Services Administration: Facilities Standards for Public Buildings Service (P100) 

National Archives and Records Administration (NARA) schedule GRS 5.6: Security Records 

OMB Policy and Memoranda 

OMB Circular A-130, Management of Federal Information Resources 

OMB Memo: M-11-27, Implementing the Telework Enhancement Act of 2010: Security Guidelines 

NIST Guidance and Federal Information Processing Standards 

FIPS-201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors 

FIPS-200 Minimum Security Requirements for Federal Information and Information Systems 

NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations 

NIST SP 800-116, Guidelines for the Use of PIV Credentials in Facility Access 

NIST SP 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security 

NIST SP 800 73, Interfaces for Personal Identity Verification – Part 1: PIV Card Application Namespace, Data Model and Representation 

NIST SP 800 76, Biometric Specifications for Personal Identity Verification 

8 NIST SP 800 78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification 

HHS Policy 

HHS-OCIO-2014-0001 HHS Information System Security and Privacy Policy (HHS IS2P)– 2014 Edition. 

To obtain a copy of this document, email fisma@hhs.gov 

Rules of Behavior for Use of Health and Human Services Information Resources (HHS RoB) 

Associated CMS Resources 

Master Labor Agreement 

Physical Security Handbook