PE-12: Emergency Lighting

PE-12 requires you to install and maintain automatic emergency lighting that turns on during power loss and clearly illuminates emergency exits and evacuation routes in any facility that houses your system. To operationalize it fast, assign a facilities owner, document coverage maps, test on a defined cadence, and retain maintenance and test evidence for assessors. ¹

Key takeaways:

• Emergency lighting must be automatic on power disruption and must cover exits and evacuation routes. ¹
• “Maintain” means you need a repeatable inspection/testing and repair workflow with retained evidence, not a one-time install.
• The fastest path to audit readiness is a coverage map + test logs + work orders tied to a control owner and procedure.

The pe-12: emergency lighting requirement is a physical and environmental protection control, but it regularly becomes an audit problem for security teams because the evidence often lives with Facilities, Corporate Real Estate, or a colocation provider. PE-12’s intent is simple: if power fails, people must still be able to find and use exits and move along evacuation routes safely, including in areas that support or house the system.

For most CCOs and GRC leads, the work is less about selecting light fixtures and more about turning “we have emergency lights” into a defensible control: clear ownership, defined scope (which facilities and which routes), test and maintenance cadence, and evidence you can produce on demand. The risk is practical. Poor lighting during an outage can delay evacuation, increase injury exposure, and lead to operational disruption. From a compliance perspective, the most common failure mode is missing or inconsistent proof that the lights are automatic, appropriately placed, and actually maintained.

This page gives requirement-level guidance you can hand to Facilities and your data center/colocation contacts, then fold into your SSP/control narrative and evidence program.

Regulatory text

Requirement (PE-12): “Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.” ¹

Operator meaning:
You must (1) have emergency lighting installed, (2) confirm it turns on automatically when normal power is disrupted, and (3) confirm it covers emergency exits and the full evacuation routes in facilities that support the system, then (4) keep it in working order through ongoing maintenance. ¹

Plain-English interpretation (what PE-12 is really asking for)

PE-12 expects life-safety lighting that does not depend on a human flipping a switch during an outage. “Automatic” is the key word: the lighting activates when power is lost or disrupted. “Covers emergency exits and evacuation routes” is the second key phrase: you need appropriate lighting along the path people will take to get out, not just at the exit door. ¹

“Employ and maintain” means assessors can ask two different questions:

1. Design/implementation: Is emergency lighting present and properly placed for the system’s facilities?
2. Operating effectiveness: Do you have proof it is kept functional over time (tests, inspections, repairs, and follow-up)?

Who it applies to (entity and operational context)

PE-12 commonly applies to:

• Federal information systems operated in government facilities. ¹
• Contractor systems handling federal data in contractor-controlled offices, data centers, labs, manufacturing areas, or other facilities housing system components. ¹

Operational contexts you should explicitly scope:

• Company offices with server rooms/network closets supporting the system
• Data centers (owned) and colocation cages/suites
• OT/ICS rooms, labs, secure rooms, and telecom spaces
• Third-party hosted spaces where the third party controls building safety systems (you still need assurance and evidence)

What you actually need to do (step-by-step)

Step 1: Assign ownership and write a one-page procedure

Control owner: Usually Facilities/Corporate Real Estate; Security/GRC owns oversight and evidence.
Create a short “PE-12 Emergency Lighting Procedure” that states:

• Which facilities are in scope for the system
• What “evacuation routes” include (hallways, stairwells, egress corridors, exit doors for the controlled area)
• How you test and how you record results
• How issues are ticketed, repaired, and closed with verification

This is the quickest way to satisfy “mapped to control owner, implementation procedure, and recurring evidence artifacts,” which is the most reliable audit-readiness pattern for PE-12. ¹

Step 2: Define scope with a facility-by-facility inventory

Build an inventory table with at least:

• Facility name/address (or site identifier)
• Areas supporting the system (server room, cage, floors)
• Responsible party (internal Facilities vs. colocation provider)
• Evidence source (internal CMMS/work orders vs. provider compliance portal)

If a third party controls the building, note the contract or assurance mechanism you will use to obtain maintenance and testing records.

Step 3: Create an “Emergency Lighting Coverage Map”

For each in-scope facility (or each controlled area within it), produce or obtain:

• A floor plan annotated with:
  • Emergency lighting fixture locations
  • Emergency exits
  • Primary evacuation routes from the system space to exits
• A short narrative: “Fixtures illuminate route segments A → B → C; exit signage is visible along the path.”

Auditors respond well to diagrams because they connect the requirement’s words (“covers emergency exits and evacuation routes”) to physical reality. ¹

Step 4: Confirm automatic activation behavior

Document how you know the lights activate during power disruption:

• For owned facilities: record the test method (for example, simulated power interruption at the circuit/fixture level, or a building test method approved by Facilities).
• For colocation: obtain a statement of how the provider tests automatic emergency lighting for your area and how you receive results.

Keep this tightly factual. PE-12 does not ask you to prove lux/foot-candle targets; it asks you to show the lighting is automatic and covers routes and exits. ¹

Step 5: Establish recurring inspection/testing and maintenance

Define:

• Who performs checks (Facilities technician, qualified electrician, building management, or third party)
• Where results are recorded (CMMS, ticketing system, inspection checklist)
• How failures are escalated and fixed (work order workflow)
• How you verify closure (re-test evidence or photo evidence)

You can choose the cadence that fits your environment and risk tolerance; PE-12 requires that you maintain the capability and can show it is kept operational. ¹

Step 6: Integrate with your GRC evidence program

Create an evidence request package so you are not chasing artifacts during an assessment:

• “Provide latest emergency lighting inspection/test record(s) for Facility X”
• “Provide open/closed work orders related to emergency lighting for the period”
• “Provide most current evacuation route and emergency lighting coverage map”

Daydream (or any GRC system) becomes useful here because you can assign the Facilities owner, schedule recurring evidence collection, and store the artifacts alongside the control narrative so PE-12 does not turn into a last-minute scavenger hunt. ¹

Required evidence and artifacts to retain

Keep evidence in a form you can produce quickly. A good minimum set:

• PE-12 control narrative in your SSP/control library describing how you meet the requirement. ²
• Control ownership and procedure (one-pager is fine).
• Facility scope inventory (list of in-scope sites and responsible parties).
• Emergency lighting coverage maps (annotated floor plans).
• Inspection/test records (checklists, test logs, or provider reports).
• Maintenance and repair records (tickets/work orders, vendor invoices if relevant).
• Exception records if a space is temporarily non-compliant (risk acceptance, compensating measures, target fix date, closure evidence).

Common exam/audit questions and hangups

Expect these:

• “Show me where emergency lighting covers the evacuation route from the system area to the exits.” Bring the map.
• “How do you know it activates automatically during a disruption?” Bring the test method and results.
• “Who owns this control?” If the answer is “Security,” you may fail operationally; Facilities should be the operator with GRC oversight.
• “What happens when a test fails?” Show tickets, SLA expectations, and closure proof.
• For colocation: “Do you have evidence for your specific space?” Generic provider marketing brochures usually do not satisfy “maintain.”

Frequent implementation mistakes (and how to avoid them)

1. Relying on building code compliance statements instead of records. Avoid: get actual test/maintenance records or attestation that includes your scope and time period.
2. Maps that show exits but not routes. Avoid: mark the full path from the system space to exits, including corridors and stairwells.
3. No proof of automatic activation. Avoid: document the test mechanism and retain the result.
4. Unclear scope for “the system.” Avoid: explicitly tie PE-12 to facilities housing system components or supporting operations.
5. Facilities runs the program, but GRC cannot retrieve evidence. Avoid: schedule evidence pulls and store artifacts centrally with access controls.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog for PE-12, so this page does not cite specific actions. The risk still matters: emergency lighting failures can increase safety incidents during outages and can become a reportable operational disruption depending on your environment. From an assessment standpoint, PE-12 often fails as an evidence problem rather than an equipment problem: assessors see “installed” but not “maintained.” ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and ownership)

• Name the Facilities owner and GRC point of contact for PE-12.
• Publish the one-page PE-12 procedure and define evidence storage location.
• Build the facility inventory and mark which sites are third-party controlled.
• Request existing emergency lighting records from Facilities/colocation providers.

By 60 days (prove coverage and automatic activation)

• Produce coverage maps for each in-scope facility/area.
• Document automatic activation test approach per site (owned vs. third party).
• Close any obvious gaps: unlit corridor segments, missing fixtures near exits, or missing documentation.

By 90 days (make it repeatable and audit-ready)

• Put inspection/testing on a recurring schedule with assigned performers.
• Ensure the maintenance workflow generates retrievable work orders and closure evidence.
• Run an internal “audit drill”: pick a site and produce the full PE-12 evidence packet within the same business day.
• In Daydream, map PE-12 to the control owner, procedure, and recurring evidence artifacts so collection does not depend on memory. ¹

Frequently Asked Questions

Does PE-12 apply if our system is fully in the cloud?

It can, if you still have facilities that “support the system,” such as network rooms, admin workspaces with dedicated infrastructure, or other on-prem components. If a third party hosts everything, you still need assurance that their facilities meet the emergency lighting expectation for the areas supporting your system. ¹

What counts as “automatic” emergency lighting for PE-12?

Automatic means the lights activate in the event of a power outage or disruption without manual intervention. Your evidence should show the activation behavior through testing records or provider documentation. ¹

Do exit signs alone satisfy PE-12?

Usually no. PE-12 requires emergency lighting that covers emergency exits and evacuation routes, not only the exit signage. Your coverage map should show route illumination, not just labeled doors. ¹

We’re in a shared office building. How do we meet PE-12 if the landlord controls lighting?

Treat the landlord as a third party for this control. Obtain periodic test/maintenance evidence for emergency lighting covering the routes from your system-supporting areas to exits, and retain it with your PE-12 artifacts. ¹

What evidence do assessors ask for most often?

They usually want a clear statement of scope, a map showing coverage of exits and evacuation routes, and recent inspection/test and maintenance records. Missing or stale records is the most common hangup. ¹

How should we document PE-12 in the SSP/control narrative?

State the in-scope facilities, describe how automatic emergency lighting covers exits and routes, and reference where test and maintenance records are stored. Tie the narrative to the procedure, coverage maps, and work-order evidence. ²

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5