PE-13(4): Inspections

PE-13(4): Inspections requires you to schedule and document recurring fire protection inspections for each covered facility, performed by authorized and qualified inspectors, and to track every deficiency through closure within your defined remediation timeframe. Operationalize it by formalizing inspection cadence, qualification criteria, deficiency SLAs, and evidence retention in your physical security and facilities workflows. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Key takeaways:

• Define inspection frequency and remediation timeframes as explicit, approved parameters for each facility. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Use only authorized and qualified fire protection inspectors, and retain proof of qualifications and authorization. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Run deficiency management like a security control: ticketing, deadlines, exceptions, and closure evidence. (NIST SP 800-53 Rev. 5 OSCAL JSON)

PE-13(4): Inspections is a requirement-level control enhancement under NIST SP 800-53 Rev. 5 that focuses on one outcome: your facilities’ fire protection posture is routinely checked by competent inspectors, and problems found during those inspections get fixed promptly and provably. The control is operational by nature. Auditors rarely accept “the landlord handles it” or “we passed a building inspection once” unless you can show inspection scope, inspector qualifications, identified deficiencies, and closure records tied to your environment.

For most Compliance Officers, CCOs, and GRC leads, the challenge is not understanding the intent. The challenge is turning a facilities activity (inspections and repairs) into a compliance-grade control with measurable commitments: an inspection cadence, a remediation window, and a consistent evidence trail. Your job is to make this repeatable across sites (data centers, offices, labs, warehouses), and defensible during an assessment of your federal system or contractor environment. (NIST SP 800-53 Rev. 5)

This page gives you a fast path: interpret the requirement in plain English, assign ownership, build the workflow, and collect the exact artifacts assessors ask for.

Regulatory text

Control requirement (excerpt): “Ensure that the facility undergoes [organization-defined frequency] fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within [organization-defined time period].” (NIST SP 800-53 Rev. 5 OSCAL JSON)

What the operator must do:

1. Set the parameters: you define the inspection frequency and the remediation time period (often expressed as an internal SLA) and apply them to covered facilities. (NIST SP 800-53 Rev. 5 OSCAL JSON)
2. Use qualified inspectors: inspections must be performed by inspectors who are both authorized and qualified; you need to be able to prove that. (NIST SP 800-53 Rev. 5 OSCAL JSON)
3. Close findings on time: every deficiency identified during inspection must be tracked and resolved within the defined window, or managed through an approved exception path with compensating measures. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Plain-English interpretation (what PE-13(4) really expects)

PE-13(4) expects a working program, not a policy. You are committing to a recurring, evidence-backed loop:

• Plan: define how often each facility’s fire protection systems and conditions get inspected.
• Check: run inspections with competent inspectors.
• Fix: remediate deficiencies quickly, document the fix, and keep proof.

Assessors typically look for two failure modes: (1) inspections happen but don’t map cleanly to your system boundary and facilities, or (2) deficiencies get logged but linger without closure evidence or timely escalation.

Who it applies to (entity and operational context)

Applies to:

• Federal information systems and the organizations operating them. (NIST SP 800-53 Rev. 5)
• Contractors handling federal data where NIST SP 800-53 is in scope by contract, authorization boundary, or customer requirement. (NIST SP 800-53 Rev. 5)

Operational context (what “facility” means in practice):

• Sites that house information system components or support functions: offices with server rooms, data centers, labs, network closets, secure storage, and other locations within your authorization boundary.
• Leased spaces count if your system operations depend on them; you may share responsibility with a landlord, but you still own the compliance outcome and evidence.

What you actually need to do (step-by-step)

1) Establish control ownership and boundaries

• Name a control owner in Facilities/Physical Security with a GRC co-owner for evidence and testing.
• Define facility scope: list each building/site, address, and whether it supports the in-scope system boundary.
• Assign inspection scope per site: fire alarms, suppression systems, extinguishers, emergency egress, panel access, inspection tags, and any site-specific components your inspectors will evaluate.

Deliverable: a simple “PE-13(4) facility register” owned by Facilities with GRC oversight.

2) Define the two parameters you must supply

PE-13(4) contains two organization-defined parameters you must fill in:

• Inspection frequency (how often inspections occur). (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Deficiency remediation timeframe (how quickly you close findings). (NIST SP 800-53 Rev. 5 OSCAL JSON)

Make these explicit in a standard:

• A single enterprise baseline may work, but many teams set risk-tiered cadences (for example, more frequent checks for data center environments). Keep it simple enough to execute and audit.

3) Set qualification and authorization criteria for inspectors

Create a checklist your team can apply consistently:

• Authorized: contracted vendor approved by Procurement/Facilities, or an internal resource formally assigned.
• Qualified: holds relevant certifications, licenses, or documented training appropriate to the jurisdiction and inspection type.

What to collect:

• Contract/SOW, license numbers where applicable, training attestations, and a named inspector roster tied to each inspection event.

4) Operationalize scheduling and execution

• Put inspections on a recurring calendar tied to each site and your defined frequency.
• Require an inspection report that includes date/time, scope, inspector identity, observed deficiencies, and recommended corrective actions.
• If a site is landlord-managed, require the landlord or building management to provide the inspection reports on your schedule; bake this into lease exhibits or a facilities addendum.

5) Run deficiency management like a control, not a to-do list

Build a workflow that turns each deficiency into a tracked record:

• Create a ticket per deficiency in your CMMS, GRC tool, or ticketing system.
• Record: severity, location, affected system, target remediation date (based on your defined timeframe), and owner.
• Require closure evidence: photos, work order completion notes, retest reports, or updated inspection tags.
• Add escalation: if a deficiency will miss the deadline, require an exception approval, compensating measure (temporary fire watch, alternate suppression, restricted access), and a new committed date.

6) Test and report control performance

GRC should run a lightweight control test on a recurring basis:

• Verify inspections occurred as scheduled.
• Sample deficiencies: confirm they were closed within the defined timeframe or have approved exceptions.
• Check inspector qualification evidence for sampled events.

If you use Daydream to manage control operations, map PE-13(4) to a named owner, documented procedure, and a recurring evidence set so inspection artifacts and remediation records are consistently packaged for assessments. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Required evidence and artifacts to retain

Use this as your audit-ready evidence checklist:

Program definition

• PE-13(4) procedure/standard defining inspection frequency and remediation timeframe. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Facility register showing covered sites and inspection scheduling.

Inspector authorization and qualification

• Contracts/SOWs for third-party inspectors, or internal authorization memo.
• Inspector qualification proof (licenses, certifications, training records) tied to the inspection period. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Inspection execution

• Inspection reports ¹ with date, scope, inspector, findings. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Work orders generated from findings.

Deficiency remediation

• Tickets/work orders with timestamps showing open-to-close duration against your defined timeframe. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Closure evidence (photos, repair invoices, retest reports, signed acceptance).
• Exception approvals and compensating measures when deadlines are missed.

Oversight

• Periodic control test results, issue logs, and management reporting.

Common exam/audit questions and hangups

Questions you should be ready for:

• “Show me your defined inspection frequency and remediation timeframe, and where leadership approved them.” (NIST SP 800-53 Rev. 5 OSCAL JSON)
• “Which facilities are in scope for this system boundary, and how do you ensure each one gets inspected?”
• “How do you verify inspectors are authorized and qualified?”
• “Pick two recent deficiencies. Show the full path from finding to closure evidence.”
• “What happens when a deficiency cannot be remediated within your timeframe?”

Typical hangups:

• Inspection reports exist, but they’re stored with Facilities and not retrievable on demand by GRC.
• Deficiencies are fixed, but there’s no closure proof or retest documentation.
• Landlord-managed inspections are assumed, but there’s no contractual right to receive reports on schedule.

Frequent implementation mistakes and how to avoid them

1. Mistake: Treating a municipal or landlord inspection as sufficient evidence.
   Fix: require the actual reports, not a verbal assurance; store them in your evidence repository with a site identifier.

2. Mistake: “Qualified inspector” is undefined.
   Fix: document minimum qualifications and keep artifacts per inspector or per firm for the relevant period. (NIST SP 800-53 Rev. 5 OSCAL JSON)

3. Mistake: Deficiencies tracked in email threads.
   Fix: move to a ticket/work-order system with timestamps and closure evidence, and a simple dashboard for overdue items.

4. Mistake: One enterprise cadence that doesn’t fit higher-risk facilities.
   Fix: allow risk-tiered parameters, but keep the model small (two or three tiers) so teams execute consistently.

Risk implications (why operators get burned)

PE-13(4) failures usually show up as operational risk first (unavailable facility, safety incident, service disruption) and compliance risk second (control deficiency during assessment). The quickest way to reduce both risks is discipline around deficiency closure: dates, owners, escalation, and evidence.

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Assign control owner(s) and build the facility register for in-scope sites.
• Define and approve inspection frequency and remediation timeframe parameters. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Identify inspection providers (internal or third party) and collect qualification/authorization proof for current inspectors.

Days 31–60 (execute and instrument)

• Schedule inspections for each in-scope facility according to your defined cadence.
• Standardize the inspection report intake process (email alias, portal, or shared repository with naming conventions).
• Stand up deficiency tracking (tickets/work orders) with required fields and escalation rules.

Days 61–90 (prove and harden)

• Run at least one full inspection-and-remediation cycle for each facility that is due.
• Perform a GRC control test: sample inspection events, validate inspector qualifications, trace deficiencies to closure.
• Fix evidence gaps and tighten contract language for landlord-managed or third-party-managed sites to guarantee report access.

Frequently Asked Questions

Do we have to pick a single inspection frequency for every facility?

No. PE-13(4) requires an organization-defined frequency, and you can define different frequencies by facility type as long as the rule is documented and consistently applied. (NIST SP 800-53 Rev. 5 OSCAL JSON)

What counts as “authorized and qualified” inspectors?

You need documented authorization (contract, assignment) and documented qualifications (licenses, certifications, training, or equivalent proof) appropriate to the inspection scope and jurisdiction. Keep the proof linked to the inspection events you rely on for compliance. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Our landlord handles fire inspections. Are we still responsible?

Yes for the control outcome. Operationalize this by requiring inspection reports and deficiency status from the landlord/building manager on your schedule, and retaining them as your evidence set.

What if we cannot remediate a deficiency within our defined timeframe?

Treat it as an exception with documented risk acceptance, interim compensating measures, and a committed completion date. Keep approval and progress evidence with the original ticket so an assessor can see governance, not drift.

Can we use a facilities CMMS as the system of record for evidence?

Yes if it preserves timestamps, attachments, and immutable history. GRC still needs an evidence extraction method so you can produce a complete package quickly during an audit.

How should we map this in our control library and evidence collection?

Map PE-13(4) to a single owner, a written procedure that includes your defined parameters, and a recurring evidence checklist (inspection reports, qualification proof, deficiency tickets, closure evidence). Daydream is typically the simplest way to keep the mapping and recurring evidence requests consistent across sites. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON