Red Hat Virtualization Host - Physical and Environmental Protection

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
PE-1 Physical And Environmental Protection Policy And Procedures

not applicable

PE-2 Physical Access Authorizations

not applicable

PE-2 (1) Access By Position / Role
PE-2 (2) Two Forms Of Identification
PE-2 (3) Restrict Unescorted Access
PE-3 Physical Access Control

not applicable

PE-3 (1) Information System Access
PE-3 (2) Facility / Information System Boundaries
PE-3 (3) Continuous Guards / Alarms / Monitoring
PE-3 (4) Lockable Casings
PE-3 (5) Tamper Protection
PE-3 (6) Facility Penetration Testing
PE-4 Access Control For Transmission Medium
PE-5 Access Control For Output Devices
PE-5 (1) Access To Output By Authorized Individuals
PE-5 (2) Access To Output By Individual Identity
PE-5 (3) Marking Output Devices
PE-6 Monitoring Physical Access

not applicable

PE-6 (1) Intrusion Alarms / Surveillance Equipment
PE-6 (2) Automated Intrusion Recognition / Responses
PE-6 (3) Video Surveillance
PE-6 (4) Monitoring Physical Access To Information Systems
PE-7 Visitor Control
PE-8 Visitor Access Records

not applicable

PE-8 (1) Automated Records Maintenance / Review
PE-8 (2) Physical Access Records
PE-9 Power Equipment And Cabling
PE-9 (1) Redundant Cabling
PE-9 (2) Automatic Voltage Controls
PE-10 Emergency Shutoff
PE-10 (1) Accidental / Unauthorized Activation
PE-11 Emergency Power
PE-11 (1) Long-Term Alternate Power Supply - Minimal Operational Capability
PE-11 (2) Long-Term Alternate Power Supply - Self-Contained
PE-12 Emergency Lighting

not applicable

PE-12 (1) Essential Missions / Business Functions
PE-13 Fire Protection

not applicable

PE-13 (1) Detection Devices / Systems
PE-13 (2) Suppression Devices / Systems
PE-13 (3) Automatic Fire Suppression
PE-13 (4) Inspections
PE-14 Temperature And Humidity Controls

not applicable

PE-14 (1) Automatic Controls
PE-14 (2) Monitoring With Alarms / Notifications
PE-15 Water Damage Protection
PE-15 (1) Automation Support
PE-16 Delivery And Removal
PE-17 Alternate Work Site
PE-18 Location Of Information System Components
PE-18 (1) Facility Site
PE-19 Information Leakage
PE-19 (1) National Emissions / Tempest Policies And Procedures
PE-20 Asset Monitoring And Tracking



PE-1: Physical And Environmental Protection Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and b. Reviews and updates the current: 1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and 2. Physical and environmental protection procedures [Assignment: organization-defined frequency].

PE-1 Control Response Information
Implementation Status:

not applicable

PE-1: What is the solution and how is it implemented?
PE-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PE-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PE-2: Physical Access Authorizations

The organization: a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; b. Issues authorization credentials for facility access; c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and d. Removes individuals from the facility access list when access is no longer required.

PE-2 Control Response Information
Implementation Status:

not applicable

PE-2: What is the solution and how is it implemented?
PE-2(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PE-2(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PE-2(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PE-2(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PE-2 (1): Access By Position / Role

“The organization authorizes physical access to the facility where the information system resides based on position or role.”

PE-2 (1) Control Response Information
Implementation Status:
PE-2 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-2 (2): Two Forms Of Identification

“The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides.”

PE-2 (2) Control Response Information
Implementation Status:
PE-2 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-2 (3): Restrict Unescorted Access

“The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]].”

PE-2 (3) Control Response Information
Implementation Status:
PE-2 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-3: Physical Access Control

The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

PE-3 Control Response Information
Implementation Status:

not applicable

PE-3: What is the solution and how is it implemented?
PE-3(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PE-3(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PE-3(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PE-3(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PE-3(e):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PE-3(f):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

PE-3(g):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




PE-3 (1): Information System Access

“The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].”

PE-3 (1) Control Response Information
Implementation Status:
PE-3 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-3 (2): Facility / Information System Boundaries

“The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.”

PE-3 (2) Control Response Information
Implementation Status:
PE-3 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-3 (3): Continuous Guards / Alarms / Monitoring

“The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.”

PE-3 (3) Control Response Information
Implementation Status:
PE-3 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-3 (4): Lockable Casings

“The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access.”

PE-3 (4) Control Response Information
Implementation Status:
PE-3 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-3 (5): Tamper Protection

“The organization employs [Assignment: organization-defined security safeguards] to [Selection (one or more): detect; prevent] physical tampering or alteration of [Assignment: organization-defined hardware components] within the information system.”

PE-3 (5) Control Response Information
Implementation Status:
PE-3 (5): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-3 (6): Facility Penetration Testing

“The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility.”

PE-3 (6) Control Response Information
Implementation Status:
PE-3 (6): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-4: Access Control For Transmission Medium

“The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].”

PE-4 Control Response Information
Implementation Status:
PE-4: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-5: Access Control For Output Devices

“The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.”

PE-5 Control Response Information
Implementation Status:
PE-5: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-5 (1): Access To Output By Authorized Individuals

The organization: (1)(a). Controls physical access to output from [Assignment: organization-defined output devices]; and (1)(b). Ensures that only authorized individuals receive output from the device.

PE-5 (1) Control Response Information
Implementation Status:
PE-5 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-5 (2): Access To Output By Individual Identity

The information system: (2)(a). Controls physical access to output from [Assignment: organization-defined output devices]; and (2)(b). Links individual identity to receipt of the output from the device.

PE-5 (2) Control Response Information
Implementation Status:
PE-5 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



PE-5 (3): Marking Output Devices

“The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device.”

PE-5 (3) Control Response Information
Implementation Status: