PE-6(3): Video Surveillance

PE-6(3) requires you to deploy and operate video surveillance for defined physical areas tied to your system’s physical access controls, then prove it works through retained footage, access controls for video, and documented monitoring and response. Operationalize it by scoping coverage zones, setting retention and review procedures, restricting who can view/export footage, and validating cameras routinely. ¹

Key takeaways:

• Scope matters: define exactly which areas require cameras and why, and tie that scope to physical access boundaries.
• Evidence wins audits: you must retain configuration, logs, retention settings, and sample footage exports under controlled access.
• Treat video as sensitive data: restrict access, track exports, and align retention with legal/privacy and investigation needs.

The pe-6(3): video surveillance requirement is a targeted enhancement under NIST SP 800-53 Rev. 5 that expects real, operating camera coverage for specific physical areas, not a paper policy. You are being asked to “employ video surveillance” for defined locations tied to the protection of federal information systems or contractor systems handling federal data. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat PE-6(3) like an assessable security capability with four parts: (1) a documented scope of coverage, (2) an implemented camera/VMS architecture, (3) governance for monitoring, retention, and access to recordings, and (4) repeatable evidence that proves the system is working. If you only document the intention to install cameras, you will fail on operating effectiveness.

This page gives requirement-level implementation guidance you can hand to Facilities/Security, IT, and your assessor. It also flags common audit hangups: unclear scope (“all entrances” vs. defined areas), missing retention evidence, and weak controls over who can view or export footage.

Regulatory text

Text (excerpt): “Employ video surveillance of {{ insert: param, pe-06.03_odp.01 }};” ¹

Operator meaning: You must deploy and operate video surveillance for the specific physical areas defined by your organization for this control parameter (the “organization-defined parameter” placeholder). The work is not complete until you (a) define the areas, (b) implement coverage, (c) control and monitor the video system, and (d) retain evidence that the surveillance operates as intended. ¹

Plain-English interpretation (what the requirement is really asking)

PE-6(3) expects that you use cameras to deter, detect, and support investigation of unauthorized physical access to areas that matter to your system’s confidentiality, integrity, and availability. In practice, that means:

• You explicitly list the areas that require surveillance (example: data center doors, MDF/IDF rooms, secure loading areas, badge-controlled entrances, cage rows, secure media storage).
• Cameras are actually installed, recording, and positioned to capture identity-relevant activity (faces, badges, entry points) rather than generic hallway footage.
• Video recordings are handled as controlled records: access is restricted, exports are tracked, retention is defined, and footage is available for investigations and assessments. ¹

Who it applies to

Entity types: Federal information systems and contractor systems handling federal data. ¹

Operational contexts where auditors expect PE-6(3) to be in scope:

• Facilities hosting system components (on-prem data centers, server rooms, wiring closets, SOC/NOC spaces).
• Colocation spaces where you control the cage/space and physical access process.
• Offices or mixed-use sites where a defined “secure area” exists (badge-controlled zones, secure labs, records rooms).
• Third-party facilities when your contract and shared responsibility model make you responsible for physical protections (or for verifying the third party’s protections as part of due diligence).

Boundary reality check: If the system boundary is “cloud-only,” PE-6(3) may still apply to corporate spaces where administrators access sensitive systems or where sensitive media is stored. You need a clear scoping decision and rationale either way. ²

What you actually need to do (step-by-step)

Use this sequence to get to an assessor-ready implementation quickly.

1) Define the organization-defined parameter: what areas are covered

• Create an “Area Coverage Register” listing each area that requires surveillance.
• For each area, document: business purpose, what assets/data are protected, physical access controls present (badges/locks/guards), and why surveillance is needed.
• Include a simple map/floor plan reference and camera IDs once installed.

Output: PE-6(3) scope statement + Area Coverage Register (owned by Physical Security with GRC approval).

2) Design camera coverage to meet investigative needs

• Place cameras to capture: approaches to entry points, door interactions, tailgating, and identity cues.
• Avoid blind spots at doors, reception handoffs, and loading zones.
• Standardize minimum expectations per area type (doorway camera, interior overview camera, etc.) as an internal standard, then apply consistently.

Audit hook: Assessors often ask, “How do you know the camera actually covers the door and not the back of someone’s head?” Have annotated snapshots from each camera as evidence.

3) Implement recording, time sync, and storage controls

• Ensure continuous recording or event-based recording consistent with your risk decision for each area.
• Ensure camera/VMS timestamps are accurate and consistent across devices (time drift undermines investigations).
• Secure storage for recordings (segmented network for cameras/VMS where feasible; hardened VMS; backups as appropriate).

GRC-friendly control statement: “Video is recorded for scoped areas, retained per the retention standard, and protected from unauthorized access and tampering.” ¹

4) Set retention, access, and export governance (treat footage as sensitive)

Define and implement:

• Retention period by area type and risk (document the decision and who approved it).
• Role-based access to live feeds and recordings (Security Operations, Facilities Security, limited IT administrators).
• Export controls: who can export footage, under what triggers (incident, HR investigation, law enforcement request), and how exports are logged and protected.
• Chain-of-custody procedure: how you preserve and hand off footage so it remains credible evidence.

Evidence target: A VMS access report (users/roles), export logs, and a written SOP.

5) Operational monitoring and response

• Define who monitors alerts or reviews footage, and when (for example, after-hours alarms, door forced-open events).
• Tie surveillance to incident response: define what events require retrieval and review, and where that gets documented (ticketing/IR system).
• Train the roles that actually pull footage; most failures occur during the first real incident.

6) Validate coverage and keep it working

• Perform periodic camera health checks (offline cameras, blocked lenses, recording failures, storage near-capacity).
• Revalidate after changes: construction, moved doors, badge reader changes, office remodels, rack rearrangements.
• Track issues to closure in a ticketing system so you can show corrective action.

7) Map ownership and recurring evidence (assessment readiness)

PE-6(3) fails in audits most often due to missing, inconsistent evidence. Assign:

• Control owner: Physical Security (primary) with IT/VMS admin (technical) and GRC (oversight).
• Evidence cadence: routine access review of VMS users, routine health checks, and periodic sampling of recordings.

Daydream (as a GRC system) fits naturally here: map PE-6(3) to owners, store the Area Coverage Register, and schedule recurring evidence requests for VMS access reviews and camera health reports so you are not rebuilding proof at audit time. ¹

Required evidence and artifacts to retain

Keep artifacts that prove both design and operation:

Core artifacts (auditor-ready)

• PE-6(3) scope statement and Area Coverage Register (areas covered; rationale; owner).
• Floor plans or diagrams referencing camera placement (can be redacted/sanitized).
• Camera inventory: IDs, locations, model, recording mode, retention setting reference.
• VMS configuration exports or screenshots: retention settings, recording schedules, storage configuration.
• Access control list for VMS: user list, roles, and last review/approval.
• Footage retrieval SOP + chain-of-custody/export procedure.
• Sample evidence of operation:
  • Annotated stills showing camera views for key entrances.
  • Camera health/uptime reports or monitoring alerts (as available).
  • Ticket examples showing camera issues found and fixed.
  • Export logs or incident tickets referencing footage pulled.

Evidence handling cautions

• Restrict evidence packets. Camera placement and coverage can be sensitive. Provide only what the assessor needs.
• If you redact, document what was redacted and why, and offer a controlled viewing session.

Common exam/audit questions and hangups

Expect these and prepare answers up front:

1. “What specific areas are under video surveillance for PE-6(3)?”
   Hangup: you say “all critical areas” with no list. Fix with the Area Coverage Register.

2. “Show me that cameras record and retain footage for your defined period.”
   Hangup: retention is documented but not configured, or storage overwrites early. Fix with VMS retention settings + a sample of footage older than the minimum.

3. “Who can view or export recordings, and how do you know it’s controlled?”
   Hangup: shared admin accounts, no role separation, no review. Fix with named accounts, RBAC, and an access review record.

4. “How do you know cameras are functioning and positioned correctly?”
   Hangup: no health checks; cameras quietly fail. Fix with periodic health check evidence and annotated camera views.

5. “What happens when you need footage for an incident?”
   Hangup: no one knows the process; exports are ad hoc. Fix with an SOP and one example incident record (sanitized).

Frequent implementation mistakes (and how to avoid them)

• Mistake: Treating video as a Facilities-only topic.
  Avoidance: make VMS governance a joint control with Security/IT/GRC, and track it like any other system with access reviews and change control.

• Mistake: No defined parameter for coverage.
  Avoidance: write the scoping decision in plain language. “Entrances” is not scope. List doors, rooms, and zones.

• Mistake: Cameras exist, but recordings are not retained or are overwritten early.
  Avoidance: test retention in the real world. Pull footage from earlier periods and document the test result.

• Mistake: Overbroad access to live feeds and recordings.
  Avoidance: least privilege for VMS roles, remove local/shared accounts, and log exports.

• Mistake: No linkage to incident response.
  Avoidance: add a step in IR playbooks for requesting and preserving video, with chain-of-custody notes.

Risk implications (what can go wrong)

PE-6(3) gaps tend to show up at the worst time: after a suspected intrusion, theft, tampering, or insider incident. If you cannot produce footage, cannot trust timestamps, or cannot prove footage integrity and access control, you lose investigative capability and may have difficulty supporting disciplinary actions, insurance claims, or law enforcement referrals. From a compliance standpoint, the biggest recurring risk is straightforward: missing implementation evidence that the surveillance operates for the defined areas. ¹

Practical 30/60/90-day execution plan

Use phases rather than calendar promises; proceed faster if Facilities and IT can support.

First 30 days (stabilize scope and governance)

• Assign owner(s) and build the Area Coverage Register for in-scope sites.
• Document retention and access rules for recordings; get Security, HR, and Legal input for privacy and workplace monitoring constraints.
• Inventory existing cameras/VMS and identify coverage gaps against the defined areas.
• Stand up evidence collection in Daydream: control mapping, owner assignment, and an evidence checklist aligned to the artifacts above. ¹

Days 31–60 (close gaps and make it auditable)

• Install or reposition cameras for defined areas; capture annotated camera-view stills.
• Configure retention and role-based access; remove shared accounts.
• Write and publish SOPs: footage request, export, chain-of-custody, and incident triggers.
• Run a table-top: request footage for a simulated event, export it, and document the trail.

Days 61–90 (prove operating effectiveness)

• Execute a periodic health check and record results; open/close tickets for failures.
• Perform a VMS access review and document approvals/removals.
• Sample test: retrieve footage from earlier points in the retention window and verify timestamp accuracy and playback.
• Package an “assessor bundle” with redaction rules and a controlled viewing process for sensitive layouts.

Frequently Asked Questions

What should we put in the “organization-defined” scope for PE-6(3)?

Define specific rooms, doors, and zones tied to physical access boundaries that protect system components or sensitive media. Write the scope so a stranger could walk the site and verify whether coverage exists. ¹

Does PE-6(3) require 24/7 live monitoring?

The text requires you to employ video surveillance for defined areas, not constant human monitoring. If you choose event-based review or monitoring tied to alarms, document the trigger conditions and response process. ¹

How long do we have to retain recordings?

NIST leaves the exact retention duration to your organization-defined parameter and risk decision, plus any legal/privacy constraints. Whatever you choose, configure it in the VMS and retain proof that the setting works in practice. ¹

Are cloud-based cameras/VMS acceptable?

The control focuses on the outcome (surveillance of defined areas). If you use cloud VMS, treat footage and admin access as sensitive: restrict access, log exports, and ensure retention and integrity controls are demonstrable to an assessor. ¹

What evidence is strongest for auditors?

A tight scope register, annotated camera views for key entrances, VMS role/user access reviews, retention configuration proof, and a real or simulated incident record showing retrieval and controlled export. Missing evidence is a primary risk factor for this control. ¹

How do we handle privacy and employee notice requirements?

Keep a documented review with HR/Legal on signage, acceptable use, and workplace monitoring constraints, and then align procedures to that decision. Limit access to recordings and define permitted uses to reduce privacy risk while meeting PE-6(3). ¹

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5