PE-16: Delivery and Removal

PE-16 sits in the Physical and Environmental Protection (PE) family in NIST SP 800-53 and focuses on a narrow operational problem: uncontrolled movement of things into and out of a facility creates opportunity for theft, tampering, data exfiltration, and insertion of malicious hardware. The control is short, but execution fails in the seams between teams: facilities manages docks, security manages guards/badging, IT manages assets, and business teams request shipments.

A strong PE-16 implementation looks like a “closed loop.” Someone is authorized to send or receive. The shipment is logged. The package is inspected to the degree your risk profile requires. The asset or media is recorded into inventory or disposal records. Exceptions are approved and documented. Most audit pain comes from partial coverage (only IT assets, not all removals), informal approvals (“Slack ok”), and missing evidence for day-to-day movements.

This page gives requirement-level guidance you can assign to a control owner and operationalize quickly across corporate offices, data centers, colocation cages, warehouses, labs, and any space where federal data or systems are handled.

Regulatory text

Requirement (excerpt): “Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and” ¹

Operator interpretation: You need a defined mechanism to (1) decide who can bring items in or take items out, (2) record and verify that movement, and (3) prevent unapproved entry/exit through dock doors, reception areas, loading bays, and other facility egress points. The text is parameterized in NIST, but the operational expectation is consistent: deliveries and removals must be governed, not informal. ²

Plain-English interpretation (what PE-16 is really asking for)

• “Authorize” means there is a named approver (role-based is fine) and documented approval criteria for inbound and outbound movement.
• “Control” means you can enforce the decision at the facility boundary (front desk, security post, shipping/receiving, dock), and you can prove it happened through records.
• “Entering and exiting” covers both directions and all common paths: mailroom, loading dock, courier pickup, employee carry-out, e-waste removal, and third-party service technicians leaving with replaced parts.

Who it applies to

Entities: Federal information systems and contractor systems handling federal data typically inherit or implement PE controls based on environment and contract requirements. ²

Operational contexts where auditors expect PE-16 coverage:

• Corporate offices with IT equipment and paper records
• Data centers (owned or colocation cages)
• Warehouses, labs, and repair depots
• Any facility where third parties perform onsite services (maintenance, cleaning, managed print, IT field support)

What “items” should be in scope (practical scoping):

• IT assets: laptops, servers, network gear, removable drives, spare parts
• Media: backup tapes, portable storage, paper files scheduled for shredding
• Packages and pallets: shipments containing controlled equipment or sensitive materials
• Tools that can introduce risk: contractor toolkits, diagnostics devices, “loaner” hardware

If you have multiple sites, define which facilities are “controlled facilities” under PE-16 and document any carve-outs (for example, small satellite offices) with compensating controls.

What you actually need to do (step-by-step)

Use this as an implementation checklist you can hand to a control owner.

1) Assign ownership and boundaries

1. Name a PE-16 control owner (often Facilities Security, Physical Security, or Security Operations).
2. Identify process owners for: shipping/receiving, mailroom, IT asset management, media handling, and e-waste.
3. Define controlled egress points (doors, docks, reception, courier pickup zones) where enforcement occurs.

Deliverable: a one-page RACI and facility boundary diagram or written description tied to your physical access controls.

2) Define what requires authorization (inbound vs outbound)

Build a simple ruleset that staff can follow:

• Inbound authorization triggers (examples): deliveries to restricted areas, shipments containing IT assets, direct-to-cage deliveries, third-party equipment brought onsite.
• Outbound authorization triggers (examples): removal of any IT asset, media, paper records, spare parts, or equipment leaving a restricted area.

Set “default deny” for removals from restricted areas unless pre-approved, and define emergency exceptions (see Step 6).

3) Implement an authorization workflow that works under pressure

Minimum viable workflow:

1. Requestor submits a ticket/form with: item description, serial/asset tag (if applicable), origin/destination, date/time window, carrier/courier, and business purpose.
2. Approver validates: requestor identity, destination legitimacy, data/media classification if relevant, and whether sanitization is required before removal.
3. Security/shipping receives an “approved movement” record to check at the door/dock.

Keep it operationally realistic. If your teams bypass the workflow to get shipments out, your “control” becomes paperwork only.

4) Add logging and chain-of-custody at the facility boundary

Decide where logging is captured:

• Shipping/receiving log (inbound/outbound)
• Security desk log for carry-outs
• IT asset management system for asset moves
• Media chain-of-custody log for tapes/drives/paper

At minimum, logs should capture:

• Date/time, facility, entry/exit point
• Item description and identifiers (asset tag/serial when available)
• Person releasing and person receiving (or courier tracking reference)
• Approval reference (ticket/form ID)
• Any inspection notes or anomalies

5) Build inspection and verification into receiving and removal

Set a risk-based inspection standard that your team can execute consistently:

• Verify package matches approval (destination, quantity, high-level description)
• For sensitive asset removals, verify asset tag/serial against inventory record
• For third-party technicians leaving with parts, verify work order and “parts return” authorization
• Quarantine and escalate mismatches (wrong recipient, unexpected hardware, damaged tamper seals)

6) Handle exceptions without breaking the control

Define controlled exceptions:

• Emergency repairs requiring rapid part removal
• After-hours courier pickups
• Large moves (office relocations, data center refresh)
• Executive travel needs (loaner devices)

Rule: exceptions still require documented approval, but you can allow verbal approval with a time-limited written follow-up if your risk posture allows. Document who can grant that exception and where the follow-up is recorded.

7) Reconcile movements to inventory and disposal

PE-16 fails quietly when logs exist but inventory never updates.

• IT asset removals should reconcile to asset inventory (“transferred,” “disposed,” “sent for repair”).
• Media removals should reconcile to media inventory and destruction certificates.
• E-waste pickups should reconcile to certified disposition records.

8) Operationalize recurring evidence (so audits are easy)

A practical cadence:

• Sample-check logs for completeness (missing approvals, missing identifiers)
• Review exception usage and trends
• Test a “reverse trace”: pick an asset disposed last quarter and trace approval → removal log → disposal record

Daydream fit (earned, not forced): If you struggle to keep PE-16 evidence consistent across sites, Daydream can be the system-of-record that maps PE-16 to an owner, procedure, and recurring evidence artifacts so you stop rebuilding the same audit packet every cycle. ¹

Required evidence and artifacts to retain

Keep artifacts that prove design and operation.

Design evidence (what the process is):

• PE-16 procedure (shipping/receiving + carry-out + exceptions)
• RACI for approvals and enforcement points
• Scope statement: which facilities, which item types
• Training or job aids for security desk and shipping/receiving

Operating evidence (proof it ran):

• Inbound/outbound logs (dock, mailroom, security desk)
• Approval records (tickets/forms/emails retained in a controlled repository)
• Chain-of-custody logs for media and sensitive assets
• Inventory change records tied to removals (asset management exports)
• Exception register with approvals and post-facto documentation
• Periodic reconciliation and review sign-offs

Common exam/audit questions and hangups

Auditors and assessors tend to test PE-16 with traceability and edge cases:

• “Show me how you prevent employees from walking out with equipment.”
• “How do you validate that outbound shipments were approved?”
• “What happens after hours or during emergencies?”
• “How do you handle third-party technicians leaving with replaced parts?”
• “Can you trace a disposed asset from approval to removal to destruction?”

Hangups that trigger findings:

• Logs exist but don’t tie to approvals.
• Approvals exist but aren’t enforced at the door/dock.
• Control only covers IT assets, not media/paper/e-waste.
• Colocation environments: unclear shared responsibility between you and the facility operator.

Frequent implementation mistakes (and how to avoid them)

1. Relying on carrier tracking as your “log.” Tracking proves shipment movement, not authorization or custody. Keep an internal approval reference and release record.
2. Ignoring removals by third parties. Field techs and facilities contractors can move equipment and parts. Require work-order-based authorization and check-out logs.
3. No exception governance. “Emergency” becomes the default path. Define who can authorize exceptions and require follow-up documentation.
4. No reconciliation to inventory. If asset records never change, you cannot prove controlled removal. Tie PE-16 to ITAM and disposal workflows.
5. Site-by-site improvisation. Standardize minimum requirements, then allow site add-ons. Audits fail on inconsistency more than strictness.

Enforcement context and risk implications

No public enforcement cases were provided in your source pack for PE-16, so you should treat this as an assessment-driven requirement rather than a penalty-cited one. The risk is operational and security-driven: weak delivery/removal controls can enable theft, tampering, and data loss, and can cascade into incident response, reporting obligations, and contract noncompliance. ²

Practical 30/60/90-day execution plan

You asked for speed; this plan focuses on standing up an auditable baseline, then tightening.

First 30 days (baseline you can defend)

• Appoint control owner and define facility scope and controlled egress points.
• Publish a minimum PE-16 procedure for inbound/outbound approvals and logging.
• Stand up a single approval mechanism (ticket/form) and a single log format.
• Train shipping/receiving and security desk staff on what to check and what to record.

Next 60 days (make it consistent and measurable)

• Integrate PE-16 steps into IT asset moves, repair RMA flows, and e-waste removal.
• Add exception register and after-hours handling.
• Start weekly or monthly spot checks of logs for missing approvals and identifiers.
• Formalize third-party technician check-out and parts return controls.

Next 90 days (audit-ready with closed-loop reconciliation)

• Implement reconciliation: removals ↔ asset inventory updates; media removals ↔ chain-of-custody and destruction.
• Run a tabletop test: simulate an unapproved removal attempt and validate response.
• Package recurring evidence: procedure, sample logs, exception samples, reconciliation records, and review sign-offs.
• If evidence collection is fragmented, centralize control mapping and recurring artifacts in Daydream to standardize audit packets across sites. ¹

Frequently Asked Questions

Does PE-16 only apply to IT equipment?

No. Treat “delivery and removal” as any controlled item entering or exiting the facility, including media, paper records for shredding, and parts leaving with technicians. Scope it explicitly in your procedure so staff knows what to route through approvals. ²

We’re in a colocation data center. Who owns PE-16 controls?

You usually share responsibility: the colo manages base building docks and access, while you control what enters/exits your cage and what your staff authorizes. Document the split and keep your own authorization and logging for items tied to your systems and data. ²

What’s acceptable evidence if we use email approvals?

Email can work if it is retained, searchable, tied to a specific request, and referenced in the removal log. Auditors will still expect consistent fields (who approved, what item, when, where) and enforcement at the boundary.

How do we handle employees taking laptops home?

Treat it as an authorized removal class with a defined approval rule (for example, assigned asset in inventory to a named employee) and a way to verify it at exit points where you enforce removal controls. If you can’t practically check every exit, document compensating controls and rely on inventory assignment plus monitoring.

Do we need to physically inspect every package?

You need a defined verification step proportional to risk. Many teams inspect and verify identifiers for sensitive assets and media, and do lighter checks for low-risk office supplies. Write down the inspection rules so they’re repeatable.

What’s the fastest way to reduce audit friction for PE-16?

Standardize three artifacts across all sites: one procedure, one approval record format, and one log format that references approvals. Then schedule recurring reviews and keep a ready evidence packet per facility (Daydream can track owners and recurring artifacts). ¹

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5