Water Damage Protection

FedRAMP Moderate’s water damage protection requirement (NIST SP 800-53 Rev 5 PE-15) expects you to prevent system-impacting water leaks by installing master shutoff or isolation valves that are accessible, functional, and known to the right staff. Operationalize it by mapping water exposure points, documenting valve locations and access, assigning trained responders, and proving ongoing inspect-and-test.

Key takeaways:

• You need physically accessible, working master shutoff or isolation valves for water leak scenarios (NIST Special Publication 800-53 Revision 5).
• Auditors look for “known to key personnel” evidence: names, training, runbooks, and drills, not a generic policy statement.
• Success is measurable through facility diagrams, access procedures, inspection/test logs, and incident response integration.

Water leaks are a reliability and security issue in one package: a single event can take systems offline, damage media, and trigger broader incident response and continuity actions. The FedRAMP Moderate control for water damage protection is explicit and narrow: provide master shutoff or isolation valves that are accessible, working properly, and known to key personnel (NIST Special Publication 800-53 Revision 5). That means you must treat water isolation as an operational capability, not a facilities footnote.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to translate this control into three workstreams that produce audit-grade evidence: (1) engineering reality (where valves are, what they isolate, and how quickly they can be reached), (2) governance (who is authorized and trained to act, and how actions are approved after-hours), and (3) assurance (inspection/testing cadence, exceptions, and how you prove the valves work). If you are a cloud service provider, the requirement often spans third parties such as colocation providers and building management, so your due diligence and contract language must support access and evidence collection.

Regulatory text

Control requirement (excerpt): “Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.” (NIST Special Publication 800-53 Revision 5)

Operator interpretation: You must be able to stop water flow that could damage the system, quickly and reliably. The control is satisfied through a combination of physical safeguards (valves and access), operational readiness (people know what to do), and verification (you can show the valves are functional). A written policy alone will not carry this control if you cannot demonstrate valve location, accessibility, and routine confirmation that the valves work.

Plain-English interpretation (what “good” looks like)

You can answer these questions without scrambling:

• Where is the water shutoff for the room/area that hosts your system components?
• Can authorized staff access it during an emergency (including after-hours)?
• Do you have proof the valve works and is maintained?
• Do the right people know where it is and when to use it?

“Master shutoff” usually means a valve that stops water to a broader zone; “isolation” means stopping water to a specific branch. Either can meet the requirement if it meaningfully reduces damage risk for the areas supporting your FedRAMP system.

Who it applies to

Entity types

• Cloud Service Providers (CSPs) operating under FedRAMP Moderate.
• Federal Agencies operating systems under the FedRAMP Moderate baseline (NIST Special Publication 800-53 Revision 5).

Operational contexts (where this becomes real)

• Data centers and server rooms (enterprise, colocation, hosted cages).
• Network/telecom rooms supporting boundary protection and connectivity.
• Rooms with critical supporting infrastructure (UPS rooms, battery rooms, generator control areas), where water intrusion can cascade into outages.
• Mixed-tenant buildings where building management controls the main shutoff and you rely on a third party for access.

If your system is hosted at a third-party facility, you still own the compliance outcome. Your contracts, due diligence, and evidence collection must bridge the gap.

What you actually need to do (step-by-step)

1) Define scope: what must be protected

• Identify system-supporting spaces: racks, cages, rooms, and any upstream areas where water could migrate (above-ceiling plumbing, adjacent mechanical rooms).
• Document assumptions: for example, if the facility has no domestic water lines above the space, record how you confirmed that (site survey notes, facility statement, diagrams).

Deliverable: A scoped “water exposure map” tied to the FedRAMP system boundary narrative.

2) Identify shutoff/isolation points and owners

• Locate master shutoff valves and isolation valves relevant to each in-scope space.
• Record: valve type, what it isolates, location details, and who controls it (your staff, building engineer, colocation staff).
• Confirm the valve is accessible in practice: not blocked by storage, not behind locked doors without an on-call path, not requiring a tool that nobody has.

Deliverables: Valve inventory + annotated floor plan or riser diagram.

3) Establish access and authorization rules

• Define who qualifies as key personnel (by role): facilities on-call, security, data center operations, incident commander, and any third-party contacts who can respond.
• Set access pathways for normal and emergency conditions:
  • Keys/badge access and escalation path
  • After-hours entry procedures
  • Safety constraints (who can turn water off, when to call building management, any “two-person rule” if you apply one)

Deliverables: Access procedure + on-call roster + third-party escalation contacts.

4) Build the “known to key personnel” program

Auditors often focus here because it distinguishes paper compliance from operational readiness.

• Add valve locations and steps to your incident response runbook for facilities events.
• Train key personnel on:
  • How to identify the correct valve
  • When shutoff is appropriate (and when not)
  • How to coordinate with building management to avoid unintended impacts

Deliverables: Training records, acknowledgments, and the runbook section that references shutoff actions (NIST Special Publication 800-53 Revision 5).

5) Verify “working properly” with inspection and test evidence

• Establish an inspect-and-test routine appropriate to your environment. The control does not dictate a specific cadence (NIST Special Publication 800-53 Revision 5), so pick one you can sustain and defend.
• Minimum expectations for evidence:
  • Visual inspection results (corrosion, labeling, obstructions)
  • Exercising/functional testing where feasible and safe
  • Exceptions and remediation tickets when issues are found

If you cannot test (for example, testing would disrupt other tenants), document the constraint, get a facility attestation, and implement compensating verification such as maintenance records from the facility.

Deliverables: Inspection/test logs, maintenance work orders, exception register.

6) Integrate with third-party risk management (if hosted)

Where a colocation provider or building management owns the valves:

• Put requirements in the contract or exhibit: access commitments, evidence delivery, and response SLAs expressed operationally (avoid vague “commercially reasonable” phrasing where possible).
• During due diligence, request:
  • Facility diagrams showing shutoff/isolation points
  • Preventive maintenance records for relevant valves
  • Emergency response procedures and contacts

Deliverables: Contract language, due diligence artifacts, and an evidence request checklist you can re-use.

Practical tip: Daydream can track these artifacts and renewal tasks as part of third-party due diligence, so you can prove “accessible, working properly, and known” without hunting across facilities emails and shared drives.

Required evidence and artifacts to retain

Use this as an audit binder checklist:

Design & inventory

• Valve inventory (ID, location, isolation scope, owner)
• Annotated floor plan/riser diagram/photos showing valve locations and labels
• Statement of applicability tying valves to in-scope spaces

Operational readiness

• Emergency procedure/runbook steps for water leak response
• On-call roster and escalation contacts (including third parties)
• Training/briefing records for key personnel (dates, attendees, content summary)

Assurance

• Inspection logs and/or preventive maintenance records
• Test records (or documented testing constraints and compensating measures)
• Corrective action tickets and closure evidence for any deficiencies

Common exam/audit questions and hangups

• “Show me the shutoff valves for the FedRAMP system areas.” Expect requests for diagrams plus photos.
• “Who are ‘key personnel’ and how do they know?” Auditors want names/roles and training evidence, not “Facilities team is aware.”
• “Prove the valves work.” A maintenance log, inspection results, or a facility-provided preventive maintenance record usually carries more weight than a one-time screenshot.
• “What if the valves are controlled by the building?” You need documented access and escalation, plus third-party evidence.

Hangup to watch: teams provide a general facilities policy, but cannot connect specific valves to specific rooms supporting the system boundary.

Frequent implementation mistakes (and how to avoid them)

1. No mapping between valves and protected assets.
   Fix: maintain a simple table that ties each in-scope room/cage to its shutoff/isolation point.

2. Valve exists but is not actually accessible.
   Fix: conduct a walk-through and capture photos showing a clear path and the door/access method.

3. “Known to key personnel” treated as implicit knowledge.
   Fix: require a short annual briefing, record attendance, and include a runbook step with valve identifiers.

4. Relying on a third party without evidence rights.
   Fix: update contract exhibits and due diligence questionnaires so the facility must provide records and allow emergency access.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement. Treat this control as an availability and resilience requirement with clear auditability: failure typically shows up as an assessment finding because you cannot demonstrate accessibility, functionality, or staff awareness (NIST Special Publication 800-53 Revision 5). Operationally, the risk is straightforward: delayed shutoff increases the blast radius of a leak event, which can expand from facilities damage into incident response, continuity actions, and customer-impacting downtime.

Practical 30/60/90-day execution plan

First 30 days (stabilize and document)

• Assign an owner (Facilities/Ops) and a compliance coordinator (GRC).
• Walk the spaces in scope; build the valve inventory; collect photos and diagrams.
• Draft the water leak runbook section, including shutoff decision points and escalation contacts.
• If hosted, issue evidence requests to colocation/building management.

Days 31–60 (prove readiness)

• Define key personnel by role; deliver training/briefing; capture acknowledgments.
• Validate access paths (badges/keys/after-hours procedures); document gaps and open remediation tickets.
• Stand up an inspection-and-test log format; record the first completed cycle.

Days 61–90 (operationalize and make it durable)

• Run a tabletop for a water leak scenario; record outcomes and improvements.
• Close high-priority remediation items (labeling, access obstructions, missing documentation).
• Embed recurring tasks into your compliance calendar and third-party review cadence.
• Centralize evidence (runbooks, logs, third-party records) in a system of record; Daydream can act as that evidence hub for audits and renewals.

Frequently Asked Questions

Do we need a master shutoff valve, or is an isolation valve enough?

The control allows “master shutoff or isolation valves,” so either can satisfy it if it protects the system area from water leakage (NIST Special Publication 800-53 Revision 5). Document what the valve isolates and why that coverage is sufficient for the in-scope space.

What counts as “accessible” in an audit?

“Accessible” needs to be true during real conditions: the valve is reachable, not obstructed, and the access method works after-hours. Keep photos, access procedures, and escalation paths as evidence.

Our colocation provider controls the shutoff valves. How do we meet the requirement?

Treat it as a third-party dependency: contract for emergency access and evidence delivery, then retain their diagrams and maintenance records. Your control narrative should explain the handoff and how you verify it stays effective (NIST Special Publication 800-53 Revision 5).

How do we prove the valves are “working properly”?

Keep preventive maintenance, inspection logs, and any functional test records that are safe to perform. If testing is constrained, document why and retain facility-provided maintenance attestations and corrective actions.

Who should be listed as “key personnel”?

List roles that can respond and authorize action: facilities on-call, data center operations, security, and incident leadership. Include third-party contacts when they control access or must execute the shutoff.

Do we need a separate policy for water damage protection?

A standalone policy can help, but auditors usually care more about operational artifacts: valve inventory, diagrams, access procedures, training records, and inspection/testing evidence tied to the system boundary (NIST Special Publication 800-53 Revision 5).