PE-15: Water Damage Protection

PE-15 requires you to protect your information system from water leakage by installing master shutoff or isolation valves, keeping them accessible and functional, and making sure key personnel know where they are and how to use them ¹. Operationalize it by mapping the in-scope spaces, documenting valve locations and access paths, testing operability, and retaining evidence.

Key takeaways:

• Your “system” is only as resilient as the rooms that support it; scope the physical spaces, not just the servers.
• Auditors look for three things: accessible valves, working valves, and staff knowledge backed by records ¹.
• Evidence wins: drawings, photos, access control proof, test logs, and training/briefing records.

PE-15: water damage protection requirement is a small control with outsized operational impact. A minor leak above a network closet can take down authentication, storage, or core networking. For federal systems and contractors handling federal data, this becomes a straightforward but strict expectation: you must have a way to shut off water quickly, and the people who may be on site during an incident must know exactly what to do.

The practical challenge is rarely buying a valve. The challenge is proving that the right valves exist for the right areas, that they can be accessed under real conditions (after hours, during a construction project, behind a locked door), that they work, and that the right people can find them without guessing. PE-15 also creates coordination pressure between Security/GRC, Facilities, the data center or colo provider, and third parties that manage building systems.

This page gives requirement-level implementation guidance you can execute quickly: who owns what, how to scope and document, what “accessible” means in audit terms, what evidence to retain, and how to set up recurring checks so the control keeps passing without heroics.

Regulatory text

Requirement (PE-15): “Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.” ¹

What the operator must do (in audit terms):

1. Provide master shutoff or isolation valves for water lines that could leak into system-supporting spaces.
2. Keep valves accessible (not blocked, not behind unknown locks, not dependent on a single person).
3. Keep valves working properly (demonstrated through inspection/testing and corrective maintenance).
4. Ensure valves are known to key personnel (documented awareness, training, and/or quick-reference procedures).
   All four elements are explicit in the control statement ¹.

Plain-English interpretation

PE-15 expects “time-to-stop-water” to be short and predictable. If water leaks near your system, you should be able to isolate the water supply to that area fast, without improvisation, and without waiting for a specialist who is unreachable.

Who it applies to

Entities

• Federal information systems implementing NIST SP 800-53 controls ².
• Contractors and service providers handling federal data where NIST SP 800-53 is flowed down contractually or used as the control baseline ².

Operational contexts (most commonly in scope)

• On-prem data centers, MDF/IDF rooms, server rooms, network closets.
• Office environments with “IT closets” that host critical network/security gear.
• Colocation spaces where you control cages/suites but building water infrastructure is shared.
• Cloud environments only to the extent you still operate physical locations for endpoints, networking, build rooms, media storage, or identity infrastructure. (PE-15 is a physical/environmental control; for pure SaaS workloads, your focus shifts to your cloud provider’s physical controls and your own office/edge footprint.)

What you actually need to do (step-by-step)

Step 1: Assign ownership and define the system-relevant spaces

• Control owner (accountable): Typically Facilities or Data Center Operations, with Security/GRC accountable for evidence quality.
• Define the in-scope spaces: any room where loss of availability, confidentiality, or integrity would materially impact the system (examples: core network, storage, backups, HSMs, identity, monitoring).

Output: “PE-15 scope statement” listing buildings/rooms and who controls them (your org vs landlord/colo).

Step 2: Build a water exposure map for each in-scope space

For each room/area, document:

• Water sources above/adjacent (restrooms, kitchens, HVAC condensate lines, sprinkler mains, chilled water lines, building risers).
• Floor drains, sump pits, leak detection (if present), and known historical issues (if you have them).
• Whether you have a local isolation valve for that branch, and where the master shutoff is located.

Tip for speed: Start with a marked-up floor plan and a site walk. Your first pass can be “good enough” if you capture water lines and shutoffs that directly affect system rooms.

Output: Water exposure map (diagram + notes) per site.

Step 3: Validate the valve type and coverage

PE-15 allows master shutoff or isolation valves ¹. Decide what is appropriate:

• Isolation valve preferred where shutting off the whole building is disruptive or unsafe.
• Master shutoff acceptable where isolation is not feasible, as long as the shutoff protects the system area and can be accessed fast.

Decision check (document it):

• If shutting off water affects life safety systems or critical building functions, document coordination and escalation steps, and ensure there is a safer isolation strategy where possible.

Step 4: Make “accessible” real (keys, paths, and after-hours access)

“Accessible” fails most often due to operational friction. Validate:

• The valve is not blocked by storage, construction, or locked cages without an access plan.
• Access method is defined: badge access, lockbox, key control, or escorted access.
• After-hours access works: on-call staff can reach the valve without waiting for a landlord contact.

Operational standard (write it down):

• “Valve access path must be unobstructed.”
• “At least two roles can obtain access during an incident.”
• “Emergency contact list includes Facilities and Security on-call.”

Output: Valve accessibility checklist + access control evidence (see “Artifacts” below).

Step 5: Prove it “works properly” with inspections and corrective actions

PE-15 explicitly requires valves to be “working properly” ¹. Implement:

• A recurring inspection/test procedure (exercise valves per Facilities best practice and building constraints).
• A work order path for stuck valves, missing tags, corrosion, or blocked access.
• A change trigger: renovations, plumbing work, or room repurposing requires re-validation.

Output: Valve test/inspection log + maintenance tickets.

Step 6: Make valves “known to key personnel”

This is not a “post a sign and hope” requirement. Identify key personnel:

• Facilities on-call, site security, data center ops, IT on-call, incident commander role.
• For colocation: your on-call plus provider’s operations desk.

Then provide:

• A one-page job aid: valve locations, photos, access steps, and escalation.
• A briefing/training record: onboarding and annual refresh for the named roles.
• An incident runbook step: “If water leak in/near system room, shut off/isolate water per PE-15 job aid and open incident ticket.”

Output: Training/briefing roster + runbook excerpt.

Step 7: Integrate third parties (landlord, colo, managed facilities)

If a third party controls valves:

• Put PE-15 expectations into the contract/SOW: accessibility, operability checks, and notification.
• Obtain evidence on a cadence: inspection attestation, photos, or provider procedure excerpts.
• Test the escalation path during an incident tabletop: “Who shuts off water and how fast can they access the valve?”

Where Daydream fits: Use Daydream to assign control ownership, map PE-15 to each site and third party, and track recurring evidence requests so you are not rebuilding the package for every assessment.

Required evidence and artifacts to retain

Keep evidence tied to each site/space. Auditors want traceability from requirement → implementation → operating effectiveness.

Minimum evidence pack (practical list):

• Scope & ownership
  • PE-15 scope statement (sites/rooms in scope; owner; alternates).
• Valve inventory
  • Valve list: ID, type (master/isolation), location, which area it protects, access method.
  • Marked-up floor plan and/or as-built drawing showing valve locations.
  • Photos: valve, surrounding area (shows accessibility), signage/tagging.
• Accessibility proof
  • Access control method description (badge group, lockbox procedure, escort procedure).
  • On-call roster and escalation contacts.
• Operability proof
  • Inspection/test logs (date, performer, results).
  • Maintenance/work orders for issues found and closure evidence.
• Knowledge proof
  • Job aid/runbook with version control.
  • Training/briefing records: attendees, date, content covered.
• Third-party evidence (if applicable)
  • Contract/SOW clause excerpt or provider procedures.
  • Provider inspection attestation and incident contact process.

Common exam/audit questions and hangups

Use these to pre-brief Facilities and avoid surprises.

Auditor question	What they’re really testing	How to answer (with evidence)
“Show me where the shutoff valve is for this server room.”	Specificity; not vague “Facilities knows”	Provide floor plan + photo + valve ID and walk them to it.
“Is it accessible right now?”	No blocked access	Provide accessibility checklist and show clear path; include photos.
“How do you know it works?”	Operating effectiveness	Provide inspection/test log and maintenance tickets.
“Who knows how to shut off water?”	Knowledge + continuity	Provide job aid + training roster + on-call roles.
“What about your colo/landlord-controlled spaces?”	Third-party dependency	Provide contract/SOW terms and provider evidence + escalation procedure.

Frequent implementation mistakes (and how to avoid them)

1. Counting sprinklers as “water damage protection.” PE-15 is about stopping unwanted water leakage, not fire suppression design ¹.
   Fix: Document shutoffs/isolation valves for plumbing and relevant water lines.

2. Valve exists, but nobody can access it. Locked rooms, missing keys, or reliance on a single facilities manager breaks “accessible.”
   Fix: Formalize access paths and test after-hours entry.

3. No proof of operability. A corroded valve that hasn’t been exercised fails “working properly.”
   Fix: Add inspections/tests and keep logs plus corrective maintenance records.

4. “Known to key personnel” treated as tribal knowledge.
   Fix: Identify roles, train them, and retain attendance records and job aids.

5. Scope stops at “the data center,” ignoring IDFs and network closets.
   Fix: Tie scope to critical system components, not room labels.

Risk implications and enforcement context

NIST SP 800-53 is a control framework, not a regulator. PE-15 gaps usually surface in assessments, ATO packages, contract compliance reviews, and customer audits rather than standalone “water valve enforcement.” The operational risk is straightforward: water events can drive system downtime, hardware loss, media damage, and recovery complexity. The compliance risk is also straightforward: the control text is explicit about accessible, working valves and personnel awareness ¹. Missing evidence commonly becomes a finding even if you believe facilities “would handle it.”

Practical 30/60/90-day execution plan

First 30 days: Establish scope, inventory, and obvious gaps

• Name the PE-15 owner and backup; document RACI.
• Identify all in-scope rooms and walk each site.
• Produce a first-pass valve inventory with photos and access notes.
• Fix obvious accessibility issues (blocked valves, missing labels) via work orders.
• Draft the one-page job aid and add it to the incident runbook.

Next 60 days: Prove operability and staff knowledge

• Start valve inspection/testing and capture results in a log.
• Create a corrective action workflow for failed tests and track closure.
• Run targeted briefings for on-call roles; capture training records.
• For third parties, request evidence and document escalation procedures.

Next 90 days: Make it repeatable and assessment-ready

• Implement a recurring evidence calendar (inspection logs, training refresh, third-party attestations).
• Add change triggers: remodels, plumbing work, new leases, room repurposing.
• Run a tabletop: water leak near a system room, including “who shuts off what, how do they get in, and who approves.”
• Centralize artifacts in your GRC system (Daydream works well when you need control-to-evidence mapping and recurring evidence collection across sites and third parties).

Frequently Asked Questions

Does PE-15 apply if we are “cloud-only”?

It applies to the physical spaces you still operate that support the system (network closets, offices with critical gear, media storage). For cloud provider facilities, treat it as a third-party dependency and obtain provider evidence where your contract allows.

What counts as “key personnel” for “known to key personnel”?

Include anyone expected to respond to facilities incidents or system outages: Facilities on-call, site security, data center ops, and the incident commander role. Document the roles and keep training or briefing records tied to those roles.

Can a building master shutoff meet the requirement?

Yes, the control allows master shutoff or isolation valves ¹. Document why a master shutoff is used, how to access it quickly, and the operational impact so incident responders can make the right call.

How do we prove the valves are “working properly” without causing disruption?

Use a documented inspection/testing procedure coordinated with Facilities and the building owner. Keep logs of what was tested, observed condition, and any maintenance actions taken.

Our colocation provider controls the valves. Are we automatically noncompliant?

No, but you must manage it as a third-party control dependency. Contract for response/access expectations, maintain escalation contacts, and retain provider evidence that valves exist, are accessible to authorized responders, and are maintained.

What evidence do auditors ask for most often?

Floor plans or diagrams, photos of valves and access paths, inspection/test logs, and proof that on-call staff know where the valves are and how to access them. If any one of those is missing, you risk a documentation-based finding even if the hardware exists.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5