PE-6(1): Intrusion Alarms and Surveillance Equipment

PE-6(1) requires you to monitor physical access to the facility where your system resides by using intrusion alarms and surveillance equipment, then operate, maintain, and evidence that monitoring as a repeatable control. To operationalize it fast, define the protected spaces, deploy or validate alarm/camera coverage, set alert handling, and keep reviewable logs, test records, and maintenance proof. ¹

Key takeaways:

• Define the “facility where the system resides” precisely (rooms, cages, closets, and supporting spaces), then map alarms/cameras to each boundary.
• Treat monitoring as an operated process: alert routing, response, retention, testing, and maintenance are where audits are won or lost.
• Keep evidence that a third party (security integrator/SOC/building management) is doing what you think they are doing.

The pe-6(1): intrusion alarms and surveillance equipment requirement is straightforward in text and easy to under-implement in practice: you must monitor physical access to the facility where the system resides using intrusion alarms and surveillance equipment. ¹ For a Compliance Officer, CCO, or GRC lead, the fastest path is to convert that sentence into a control boundary decision, a set of devices and monitoring responsibilities, and a clean evidence trail.

This requirement typically becomes urgent during federal customer security reviews, ATO work, assessments against NIST SP 800-53, or contract flow-downs for contractor systems handling federal data. The operational pitfalls are consistent: unclear scope (“is a shared office a facility?”), reliance on building controls without verification, poor retention and review practices, and gaps where cameras exist but no one can prove they were working or monitored.

This page gives requirement-level implementation guidance you can hand to facilities, security operations, and your third parties. It focuses on what to build, how to run it, and what to save so an assessor can confirm monitoring actually happens.

Regulatory text

“Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.” ¹

Operator meaning: You need two things in place and provable:

1. Intrusion alarms that detect unauthorized entry or boundary violations for the relevant facility areas; and
2. Surveillance equipment (commonly cameras) that provides visibility into physical access events and supports investigation.

Monitoring must be tied to the facility where the system resides, which means your compliance scope is set by where the system is physically located (data center floor, server room, telecom closet, secure cage, lab, records room, or other controlled space), not by your corporate HQ footprint. ¹

Plain-English interpretation

You must be able to answer, with evidence:

• Who entered (or tried to enter) the protected facility space.
• When it happened and what triggered the alert (door forced, door held open, motion after hours, glass break, etc.).
• How you would know quickly enough to respond.
• What you can review later (video and alarm logs) to investigate and support incident handling.

This is not a “buy cameras” checkbox. Assessors look for operated monitoring: alarms routed to a monitored point, defined response, documented testing, and retention practices that match your risk and investigative needs.

Who it applies to

Entity types

• Federal information systems and programs assessed against NIST SP 800-53. ²
• Contractors and service providers handling federal data where NIST SP 800-53 controls are contractual requirements or assessment criteria. ²

Operational contexts

• On-prem data centers, colocations, and private cages.
• Corporate facilities with server rooms, network closets, backup media storage, or security operations spaces that house system components.
• Cloud: if the “system” is fully hosted, PE-6(1) typically shifts to the cloud service provider’s facility controls, but you still own due diligence, contract terms, and evidence collection for the relevant third party.

Third-party dependence (common)

• Landlords/building management controlling base building security.
• Colocation providers.
• Security integrators (installation/maintenance).
• A monitoring center or SOC receiving alarms (internal or third party).

What you actually need to do (step-by-step)

1) Set the control scope: define “facility where the system resides”

Create a short scoping memo (one page is fine) that states:

• Which system(s) are in scope.
• The physical locations housing system components (address, floor, room, cage ID).
• The physical boundaries to be monitored (doors, loading docks, emergency exits, ladders/roof hatches, shared corridors if applicable).
• What is explicitly out of scope and why.

Practical rule: if a person can physically touch system components or supporting assets (network gear, hypervisors, backup media), the path to that access should be part of your boundary thinking.

2) Choose the monitoring model (and document responsibilities)

Decide and document:

• Who receives alarm events (internal security desk, SOC, third party monitoring).
• Who triages alerts and dispatches response.
• Escalation path to IT/security incident response if compromise is suspected.
• After-hours coverage.

Put this into a RACI that names owners across Security, Facilities, IT, and any third party.

3) Confirm device coverage and placement against the boundary

Build a simple “coverage map” table:

Area / Door	Alarm type	Camera coverage	Monitoring destination	Notes

Minimum operator checks:

• Doors to the protected area have an alarm condition for forced entry/door held (or equivalent mechanism).
• Cameras capture identifiable access events at entry/exit points and critical interior zones (for example, the rack aisle entrance).
• Cameras and alarms have power resilience appropriate to your risk (document what you have, even if it’s just building UPS).

4) Configure logging, time sync, and retention you can defend

Define what you retain and where:

• Alarm event logs (panel logs and/or monitoring center records).
• Video retention (NVR/VMS or third-party hosted).
• Access control logs (often handled under PE-3/PE-2, but strongly related for investigations).

Operational detail assessors probe:

• Consistent timestamps across alarms, cameras, and access control. If systems are out of sync, investigations fail and audits drag.

5) Establish alert handling and response procedures

Write a runbook that covers:

• Alarm categories (forced door, motion after-hours, duress, tamper).
• Expected response (call guard, dispatch patrol, notify facilities, notify security).
• Evidence capture steps (bookmark video, export clip, preserve logs).
• False alarm handling and tuning (without disabling the control).

Keep the runbook short and executable. Include screenshots or the exact system names your responders see.

6) Test, maintain, and prove operation

Define:

• Periodic functional testing of alarms and cameras (what is tested, by whom, and how results are recorded).
• Preventive maintenance (lens cleaning, firmware updates where applicable, battery checks, sensor alignment).
• Break/fix SLAs with the integrator or colocation provider.

If you inherit monitoring from a third party (colocation/CSP), require attestation and artifacts, not just “we have cameras.”

7) Integrate third-party due diligence (where monitoring is outsourced)

If a third party operates any part of alarms/cameras/monitoring:

• Put requirements into the contract/SOW: monitoring coverage, retention, incident notification, access to logs/video for investigations, maintenance obligations.
• Ensure you can obtain evidence on request in audit timeframes.
• Track the third party as a dependency in your vendor/third-party risk program.

Daydream can help here by turning PE-6(1) into an owner-mapped procedure with recurring evidence tasks, so you are not rebuilding proof during every assessment.

Required evidence and artifacts to retain

Keep artifacts that prove design and operation:

Design / configuration

• Facility scope statement and boundary diagram (can be a floor plan marked up).
• Device inventory list (alarms, panels, cameras, NVR/VMS) tied to locations.
• Monitoring architecture: where alerts go, who watches them, and coverage hours.
• Alerting rules/config snapshots (exported settings or screenshots with dates).

Operational records

• Alarm event reports and monitoring center tickets.
• Video retention settings and a sample retrieval proof (show you can export footage).
• Test records (date, tester, test method, result, remediation).
• Maintenance records and work orders (including third-party invoices that show device/service actions).
• Incident records tied to alarm events (if any), with evidence preservation notes.

Third-party artifacts (if applicable)

• Contract clauses/SOW extracts for monitoring and retention.
• Third-party attestations or reports you receive and review.
• Support tickets and escalation records for outages.

Common exam/audit questions and hangups

• “Show me the facility boundaries for the system and where alarms/cameras are placed.”
• “Who monitors alarms after hours? Prove it with tickets or monitoring logs.”
• “Demonstrate you can retrieve video for a specific date/time.”
• “What happens if the camera/NVR goes down? How do you know?”
• “Are these building cameras or system-owner cameras? What assurance do you have either way?”
• “How do you test intrusion alarms and document results?”

Hangup to expect: shared facilities. If you are in a leased building or colocation, auditors often ask how you validated the third party’s controls, not whether the third party claims they exist.

Frequent implementation mistakes and how to avoid them

1. Scope drift: declaring “HQ” as the facility when only a server room is in scope.
   Fix: name the rooms/cages/closets and the access paths that matter.

2. Cameras without monitoring: recording exists, but no one reviews alerts or responds.
   Fix: define alert routing, response, and keep monitoring center artifacts.

3. No evidence of operation: devices exist, but there are no test logs, no maintenance records, and no sample exports.
   Fix: schedule recurring tests and retain outputs in your GRC evidence repository.

4. Inherited controls with no proof: relying on a landlord/colo without contractual rights to logs or documented retention.
   Fix: add audit/evidence rights and notification requirements to the agreement.

5. Retention misalignment: video overwritten too quickly to support investigations.
   Fix: set retention based on your incident detection and response realities, then document the rationale and confirm it works with a retrieval test.

Risk implications (why assessors care)

Physical intrusion is a direct path to:

• Hardware tampering, implanting rogue devices, or stealing media.
• Privilege escalation through console access.
• Disruption (power/network) that becomes an availability incident.

PE-6(1) reduces dwell time by creating a monitored signal when someone crosses a boundary. If you cannot show that alarms and surveillance are active, monitored, and retrievable, an assessor may treat the control as not implemented even if equipment is visible on a walkthrough. ²

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and evidence basics)

• Assign a control owner and backups (Security or Facilities, with IT support).
• Write the facility scope statement and capture a marked-up floor plan.
• Inventory alarms/cameras/NVR/VMS, and map each to the protected boundary.
• Confirm where alarms are monitored and who receives alerts.
• Start an evidence folder structure (design artifacts, operations logs, testing, maintenance, third-party proof).

Next 60 days (make it operated, not just installed)

• Publish the alarm/camera response runbook and escalation path.
• Run a tabletop plus a live test (door alarm trigger and video retrieval) and save results.
• Confirm time synchronization and log availability across systems.
• Formalize third-party requirements where monitoring is outsourced (SOW addendum or contract update, if needed).

By 90 days (make it repeatable and audit-ready)

• Establish recurring testing and maintenance cadence with documented outputs.
• Add monitoring outages as ticketable events with escalation and closure evidence.
• Perform a “mock audit” walk-through: pick a random alarm event (or a test event), trace it from trigger to ticket to video clip export to closure.
• Put PE-6(1) into your control library with mapped procedure steps and recurring evidence tasks (Daydream can automate the reminders and evidence collection workflow).

Frequently Asked Questions

Do we need both intrusion alarms and cameras for PE-6(1)?

The requirement calls for monitoring using physical intrusion alarms and surveillance equipment. ¹ In practice, implement both and show they cover the same facility boundary so you can detect and investigate access events.

Our building has cameras in common areas. Does that satisfy the requirement?

It can contribute, but auditors typically expect you to prove coverage, retention, and retrieval rights. If a landlord controls the system, treat it as a third-party dependency and obtain evidence and contractual assurance.

What counts as “the facility where the system resides” in a shared office with a server closet?

Treat the server closet (and the path to it) as the facility boundary for this control, then document it clearly. If the closet is accessible from a shared corridor, include corridor coverage considerations in your boundary mapping.

If our system is fully in a public cloud, do we still have to deploy cameras?

Usually the cloud provider’s facility monitoring covers the physical layer, but you still need to document reliance on that third party and keep the assurance artifacts your program requires. Keep your own office/server room scope honest; if no system components are onsite, your onsite camera scope may be limited.

What evidence is most persuasive in an audit?

A boundary map tied to a device inventory, plus recent alarm logs or monitoring tickets and a demonstrated ability to retrieve video for a specified time window. Test and maintenance records close the loop by proving ongoing operation.

How do we handle privacy concerns with surveillance cameras?

Work with HR/legal to post notices and define appropriate placement (for example, avoid areas where privacy expectations are higher). Keep access to footage restricted, logged, and aligned to security purposes.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5