Emergency Shutoff

The FedRAMP Moderate emergency shutoff requirement (NIST SP 800-53 Rev 5 PE-10) means you must have a reliable way to cut power to defined system components during an emergency, place the shutoff device where authorized responders can reach it quickly, and prevent unauthorized or accidental activation (NIST Special Publication 800-53 Revision 5). Operationalize it by defining scope, mapping shutoff points to equipment, controlling access, and retaining test and maintenance evidence.

Key takeaways:

• Define which systems/components require emergency power shutoff and document the rationale (NIST Special Publication 800-53 Revision 5).
• Install or verify accessible shutoff devices near the covered equipment and control who can activate them (NIST Special Publication 800-53 Revision 5).
• Keep evidence: diagrams, access controls, training, and test/inspection records that show the capability works and is protected (NIST Special Publication 800-53 Revision 5).

“Emergency shutoff” sounds like a facilities-only topic until an assessor asks you to prove that power can be cut quickly, safely, and only by the right people. PE-10 is a requirement to design and operate an emergency power shutoff capability that supports life safety and incident response without creating a new availability risk through accidental activation. In FedRAMP environments, this control often spans teams: facilities, data center operations, cloud operations, corporate security, and the compliance owner writing the SSP narrative.

A clean implementation starts with crisp scoping: what exactly are “organization-defined system components” for your authorization boundary? Next, you translate that scope into physical reality: where power is fed, where it can be interrupted, and who can access that interruption point under stress conditions. Finally, you build repeatable operations: labeling, access control, training, testing, and evidence retention.

This page breaks PE-10 down into requirement-level actions you can assign, track, and defend in an assessment, with concrete artifacts and common assessor hangups.

Regulatory text

NIST SP 800-53 Rev 5 PE-10 requires you to:

1. “Provide the capability of shutting off power to organization-defined system components or the system in emergency situations;”
2. “Place emergency shutoff switches or devices in an organization-defined location by the system or system component to facilitate access for authorized personnel;” and
3. “Protect emergency power shutoff capability from unauthorized activation.” (NIST Special Publication 800-53 Revision 5)

Operator interpretation (what an assessor expects to see):

• You identified which equipment is in scope (for example: racks, PDUs, network gear, on-prem hosts supporting the boundary) and you can show where and how power can be cut in an emergency (NIST Special Publication 800-53 Revision 5).
• Shutoff devices are reachable in the conditions you planned for (smoke, water leak, overheating, electrical hazard) and accessible to authorized personnel without hunting through locked rooms or unlabeled panels (NIST Special Publication 800-53 Revision 5).
• The shutoff mechanism is protected so random staff, visitors, or an attacker cannot disrupt availability by hitting a switch, and accidental activation is unlikely (NIST Special Publication 800-53 Revision 5).

Plain-English requirement (what it means in practice)

You need a “break glass” power-off capability for defined systems, located where responders can find it fast, with controls that prevent misuse. The control is about emergency conditions, not routine maintenance shutdowns. If your service relies on a third party data center or colocation provider, you still need evidence that the capability exists for your in-scope components and that access/activation is governed.

Who this applies to

In FedRAMP Moderate contexts, PE-10 typically applies to:

• Cloud Service Providers (CSPs) operating any physical environments in the authorization boundary (corporate data rooms, cages, labs, staging environments that are in scope), and CSPs relying on colocation/data center third parties where in-scope hardware exists (NIST Special Publication 800-53 Revision 5).
• Federal agencies running or overseeing facilities hosting in-scope systems/components (NIST Special Publication 800-53 Revision 5).

Operational contexts where PE-10 becomes “real”:

• On-prem or colo deployments with racks, PDUs, UPS, and branch circuits.
• Mixed environments where the “cloud” service includes dedicated hardware, HSMs, appliances, or network termination gear in a cage.
• Facilities where the emergency power off (EPO) also affects shared systems (cooling, fire suppression interlocks, neighboring tenants). This is where design and authorization boundaries matter.

What you actually need to do (step-by-step)

1) Define the scope: “organization-defined system components”

Create a scoped list that is specific enough to test:

• Identify in-scope spaces (rooms/cages) and equipment classes (racks, PDUs, core switches, storage arrays, management consoles).
• Decide whether the requirement is met at the room/cage level (single EPO that drops all power) or at component/row level (selective shutoff). Either approach can meet the text if it covers defined components and is usable in an emergency (NIST Special Publication 800-53 Revision 5).
• Document exclusions and compensating controls (for example, if cutting power could worsen safety due to dependent systems). Keep this tightly reasoned and tied to your architecture.

Deliverable: PE-10 scope statement + equipment inventory mapping.

2) Map “how power is shut off” to physical power paths

Build or obtain the authoritative view:

• Electrical one-line diagram (or equivalent) showing upstream feeds, panels, breakers, UPS, PDUs, and EPO/shunt trip path for the in-scope area.
• Identify the exact shutoff mechanism(s): EPO button, shunt-trip breaker, disconnect switch, controlled breaker with lock, or facility-controlled device. The mechanism can vary; the key is “capability of shutting off power” during emergencies (NIST Special Publication 800-53 Revision 5).

Deliverable: Diagram pack + a table that maps each in-scope component group to its emergency shutoff point.

3) Set the location standard and label it for emergency use

PE-10 requires you to place shutoff devices “in an organization-defined location by the system or system component” for authorized personnel access (NIST Special Publication 800-53 Revision 5). Operationalize that by writing a location standard such as:

• Located at the room/cage entry, or within the row, or near the protected equipment.
• Clearly labeled “Emergency Power Off” (or your defined wording) with directional signage from the entry.
• Included on the “first responder” map posted in the room/cage or in the runbook.

Deliverable: Location standard + photos showing signage and placement.

4) Protect against unauthorized activation (and accidental hits)

This is the part assessors push on because availability is a FedRAMP concern. Controls commonly used (choose what fits your facility design):

• Physical protection: covered switch, break-glass cover, recessed button, or guarded actuator.
• Access restriction: device inside a controlled space (badge + escort rules), locked panel for shunt-trip breaker, or keyed enablement.
• Procedural restriction: defined authorized roles (facilities on-call, data center ops lead, incident commander), with documented conditions for activation and a call tree.

Your goal: someone can activate it fast in an emergency, but a passerby cannot casually drop your environment (NIST Special Publication 800-53 Revision 5).

Deliverable: Authorized activator list (role-based), access control description, and photos of physical protections.

5) Write the runbook: decisioning, safety, and escalation

Your emergency shutoff runbook should include:

• Triggers (electrical smell/smoke, water ingress near live power, overheating with imminent hazard, fire response direction).
• Who can approve/activate (and what to do if they are unreachable).
• Immediate steps after activation (notify incident response, facilities, security; preserve logs; coordinate restart sequence).
• Coordination with third parties (data center NOC, building management). If a third party operates the EPO, document how you request activation and how that request is authenticated.

Deliverable: PE-10 runbook + on-call procedures.

6) Test and maintain the capability (without causing outages)

PE-10 does not spell out a test frequency, but you need evidence the capability exists and is protected (NIST Special Publication 800-53 Revision 5). Practical options:

• Conduct a controlled test in a maintenance window if your design permits.
• If full activation would be unsafe or disruptive, perform an inspection-based test: verify device integrity, covers/locks, signage, access controls, and validate the shunt-trip circuit using approved electrician procedures.

Deliverable: Test/inspection records, change tickets, and any electrician/vendor reports.

7) Tie it cleanly into your FedRAMP documentation set

Where this shows up:

• SSP control implementation statement (what exists, where, who can activate, how protected).
• Facility policy/procedure references.
• Diagrams and evidence attached for assessment.

Daydream tip (earned, operationally): teams often lose time chasing photos, diagrams, and third party attestations during assessment. Daydream can track PE-10 evidence requests as structured tasks (diagram, photos, access list, test record) and keep the latest artifacts tied to the control so you do not rebuild the binder every assessment cycle.

Required evidence and artifacts to retain

Use this as your evidence checklist:

• Scope definition for “organization-defined system components” (inventory mapping).
• Electrical one-line / power path diagram covering in-scope spaces and shutoff points.
• Photos of EPO/shutoff device(s), protective covers, labels, and surrounding context.
• Access control records: door access requirements, escort rules, role-based authorized activators.
• Runbook / SOP: activation criteria, notification, escalation, restart coordination.
• Training/briefing record for authorized personnel (attendance or acknowledgment).
• Test/inspection and maintenance records for the device/circuit and signage.
• Third party documentation (if applicable): data center MSA/SOW clauses relevant to emergency power shutoff operations, and any provided facility procedures you rely on.

Common exam/audit questions and hangups

Expect these questions:

• “Show me which components are covered by PE-10 and where the shutoff is for each.”
• “Where is the shutoff located relative to the equipment? Prove it’s accessible.”
• “Who is authorized to activate it? How do you prevent a curious person from pressing it?”
• “How do you test or inspect the capability? Show the last record.”
• “If a third party controls the device, how do you authenticate the request and record the event?”

Hangups that cause findings:

• The scope is vague (“all systems”) with no mapping to real shutoff points.
• Photos are missing, outdated, or do not show protection from accidental activation.
• The shutoff is behind multiple locked barriers without a clear emergency access path for authorized staff.

Frequent implementation mistakes (and how to avoid them)

1. Treating EPO as “the data center’s problem.”
   Avoidance: if a third party provides the facility, obtain their procedures and map them to your boundary components. Keep it in your evidence set.

2. Placing the device “nearby” without defining “nearby.”
   Avoidance: write a location standard and show it with diagrams and photos (NIST Special Publication 800-53 Revision 5).

3. Overcorrecting on protection and making it unusable.
   Avoidance: choose protections that prevent casual activation but remain practical in an emergency (covered switch inside controlled area is common). Document the tradeoff and the emergency access method (NIST Special Publication 800-53 Revision 5).

4. No proof the capability still works.
   Avoidance: retain inspection/testing artifacts and maintenance work orders. If you cannot “press the button,” document an alternate verification method approved by facilities/electricians.

Enforcement context and risk implications

No public enforcement cases were provided for this requirement in the supplied sources. The risk is still concrete: accidental or malicious activation drives availability incidents, and lack of emergency shutoff capability increases safety risk during electrical faults or environmental events. Assessors typically treat PE-10 as a facilities control with tangible, observable evidence expectations.

Practical execution plan (30/60/90-day)

Because this control depends on facility constraints and maintenance windows, use a phased plan with clear deliverables rather than calendar promises.

First 30 days (Immediate)

• Assign a single owner (facilities or data center ops) and a compliance owner for evidence.
• Define in-scope components/spaces for PE-10 and document the scope statement (NIST Special Publication 800-53 Revision 5).
• Collect existing diagrams, EPO location details, and access control descriptions.
• Do a walkthrough: confirm labels, photos, and physical protections.

By 60 days (Near-term)

• Close gaps: signage updates, protective covers, access list updates, runbook completion.
• Formalize authorized activators and train/brief them; record acknowledgments.
• If third parties are involved, request their emergency power shutoff procedures and align your runbook to the engagement path.

By 90 days (Operationalize and sustain)

• Run a controlled test or documented inspection and capture the record.
• Add PE-10 checks to routine facility inspections and change management (renovations, cage moves, rack adds).
• Centralize artifacts for assessment readiness (Daydream or your GRC repository) and set a recurring review for diagrams, photos, and access lists.

Frequently Asked Questions

Does PE-10 apply if we are “fully cloud” on AWS/Azure/GCP?

PE-10 is a physical/environmental control. If your authorization boundary has no customer-controlled physical components, your implementation focuses on documenting boundary assumptions and any facilities you do control (NIST Special Publication 800-53 Revision 5).

Can we meet PE-10 with a breaker panel instead of an EPO button?

Yes, if it provides the emergency power shutoff capability for your defined components, is located as you specify for access, and is protected from unauthorized activation (NIST Special Publication 800-53 Revision 5). You still need clear labeling and responder instructions.

How do we “protect from unauthorized activation” without slowing down responders?

Put the shutoff inside a controlled space (badge/escort) and use a guarded/covered device to prevent casual contact. Then document who is authorized and how they access it during an emergency (NIST Special Publication 800-53 Revision 5).

What evidence is most persuasive to an assessor?

A power-path diagram mapped to in-scope components, photos of the device and protections, and a recent test/inspection record are the fastest path to closure. Pair that with a runbook that names authorized roles (NIST Special Publication 800-53 Revision 5).

Our colocation provider won’t share detailed electrical diagrams. What do we do?

Request the minimum necessary evidence: location of shutoff devices serving your cage/space, provider procedures for activation, and confirmation of protections against unauthorized activation. Document the dependency and keep the provider artifacts as third party evidence tied to PE-10 (NIST Special Publication 800-53 Revision 5).

Do we have to actually press the EPO as a “test”?

The requirement is to provide the capability and protect it (NIST Special Publication 800-53 Revision 5). If activating it would create unacceptable risk, document an alternative verification method (inspection, circuit verification by qualified personnel) and retain the record.