Sorry, you need to enable JavaScript to visit this website.


Office of the Chief Technology Officer

DC Agency Top Menu

-A +A
Bookmark and Share

Physical and Environmental Protection Policy

Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023

1.    Purpose

Establish the requirement, for mitigating the risks from physical security and environmental threats through the establishment of effective physical security and environmental controls.  

2.    Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at:

3.    Applicability

This policy applies to all District Workforce members performing official functions on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to District information, systems, networks, and applications.

4.    Policy

District agencies and departments must develop or adhere to a strategy which demonstrates compliance with this policy and its related standards. The following outlines the requirements for this policy.

The District's agencies must develop and review or update annually and after change to the policy, a procedure in support of this policy with the following requirements: 

4.1.    Physical Access Authorizations  
The District agencies must:  

4.1.1. Develop and maintain a list of personnel with authorized access to the facility where the information assets reside (except for those areas within the facility officially designated as publicly accessible).   

4.1.2. Issue authorization credentials (e.g., badges, identification cards, and smart cards) to each person accessing a restricted area. 

4.1.3. Review and approve every employee’s level of access before access is granted

4.1.4. Review the access list detailing authorized facility access by individuals at least every year or as needed.

4.1.5. Remove individuals from the facility access list when access is no longer required.

 4.2.    Physical Access Control
The District agencies must:  

4.2.1. Enforce physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information asset resides (excluding those areas within the facility officially designated as publicly accessible). This includes:  

  • Validation of individual access authorizations before granting access to the facility; and      
  • Control entry to the facility containing the information asset using physical access devices and/or guards.

4.2.2. Maintains physical access audit logs for entry/exit points.

4.2.3. Control access to areas officially designated as publicly accessible per the organization’s assessment of risk.

4.2.4. Escort visitors and monitor visitor activity in the data centers and sensitive areas.

4.2.5. Secure keys, combinations, and other physical access devices.

4.2.6. Inventory physical access devices on an annual basis.

4.2.7. Change combinations and keys annually and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

4.3.    Monitoring Physical Access
The District agencies must:  

4.3.1. Ensure that physical access to information systems is monitored to detect and respond to physical security incidents.

4.3.2. Review physical access logs weekly.

4.3.3. Conduct the Investigation of apparent security violations or suspicious physical access activities. Investigations and results of reviews shall be coordinated with the agency’s incident response capability.

 4.4.    Visitor Access Control
The District agencies must restrict and control physical access to the information asset by authenticating visitors (a valid Government issued ID maybe required) before authorizing access to the facility where the information asset resides other than areas designated as publicly accessible.
4.5.    Visitor Access Records
The District agencies must:  

  • Maintain visitor access records to the facility for no less than five (5) years.
  • Review visitor access records quarterly.

4.6.    Power Equipment and Cabling
The District agencies must protect power equipment and power cabling for the information asset from damage and destruction.   
4.7.    Emergency Shutoff
The District agencies must:  

4.7.1.  Provide the capability of shutting off power to the information system or individual system components in emergencies.

4.7.2. Emergency shutoff switches or devices must be placed in clear and accessible areas to facilitate safe and easy access for personnel.

4.7.3. Protect emergency power shutoff capability from unauthorized activation.

4.8.    Emergency Power
The District agencies must provide a short-term uninterruptible power supply or back generator(s) to facilitate an orderly shutdown of the information asset in the event of a primary power source loss.  
4.9.    Emergency Lighting
The District agencies must provide and maintain automatic emergency lighting, that activates, in case of the main power failure. Automatic emergency lighting must cover the agency’s emergency exits and evacuation routes within the agency’s facility.
4.10.    Fire Protection

The District agencies must employ and maintain fire suppression and detection devices/systems for the information asset that are supported by an independent energy source including but not limited to, data centers and server rooms.  
4.11.    Temperature and Humidity Controls
The District agencies must implement and maintain automatic temperature and humidity controls in the data center(s) to prevent fluctuations potentially harmful to equipment. The temperature and humidity levels must be monitored frequently.
4.12.    Water and Damage Protection
The District agencies must initiate measures to protect information systems from damage resulting from water leakage. Agencies must provide master water shutoff or isolation valves that are easily accessible, working properly, and known to key personnel.
4.13.    Delivery and Removal
The District agencies must ensure that access to delivery areas (e.g. loading docks and warehouses) is restricted and possibly isolated from the information system and media libraries to effectively enforce authorizations for entry and exit of information system components.
4.14.    Alternate Work Site
The District agencies must:  

4.14.1 Employ telework with VPN access at alternate work sites.

4.14.2 Assess as feasible, the effectiveness of security controls at alternate work sites.

4.14.3 Provide a means for employees to communicate with information security personnel in case of security incidents or problems.

4.15.    Location of Information Asset Components  
The District agencies must position information asset components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.

5.    Exemption

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6.    Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.