PE-18(1): Facility Site

PE-18(1): Facility Site requires you to select, evaluate, and document where facilities that support your system are located so site-specific risks (natural hazards, nearby threat activity, infrastructure dependencies) are identified and treated before they impact availability, confidentiality, or integrity. Operationalize it by defining site-selection criteria, performing a site risk assessment for each covered location, and retaining evidence of decisions and compensating controls. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Key takeaways:

• Treat “facility site” as a risk decision: document why each location is acceptable for the system’s mission and data. (NIST SP 800-53 Rev. 5)
• Build a repeatable workflow: criteria → assessment → decision → mitigations → re-review trigger. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• Evidence wins audits: site risk assessments, approval records, and implemented mitigations must be easy to produce. (NIST SP 800-53 Rev. 5)

PE-18(1): facility site requirement sounds like a facilities management topic until you have a real incident: floodplain exposure that was never assessed, a critical site dependent on a single power substation, or a leased suite where you cannot install required physical controls. This control enhancement exists to force a deliberate decision about where the system “lives” and what environmental and geographic risks come with that decision. (NIST SP 800-53 Rev. 5)

For a Compliance Officer, CCO, or GRC lead, the fastest path is to convert PE-18(1) into a small number of artifacts that are continuously maintainable: documented site selection criteria, a site risk assessment template, a register of covered sites, and a decision record that ties risks to mitigations and acceptance. Do not overbuild it. Your goal is to show that facility locations were chosen with known risks, controls were implemented or planned, and leadership accepted residual risk in a traceable way. (NIST SP 800-53 Rev. 5 OSCAL JSON)

If you support federal systems or contractor systems handling federal data, auditors will look for proof that “site” was evaluated as part of the authorization boundary, not as an informal real-estate choice. (NIST SP 800-53 Rev. 5)

What PE-18(1) means in plain English

PE-18(1): facility site requirement expects you to evaluate the physical location(s) that house or support your information system and to make an explicit, documented decision that the site risks are acceptable or mitigated. “Facility site” is about location-driven threats and dependencies: natural hazards, civil disturbances, proximity risks, infrastructure resilience, and any constraints the site places on required physical or environmental controls. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Your deliverable is not a narrative. It is a repeatable method that answers:

• Which sites are in scope for the system?
• What location-specific risks exist at each site?
• What controls mitigate those risks?
• Who approved the site decision and any residual risk? (NIST SP 800-53 Rev. 5)

Regulatory text

Provided excerpt: “NIST SP 800-53 control PE-18.1.” (NIST SP 800-53 Rev. 5 OSCAL JSON)

Operator interpretation: Because the excerpt in your source catalog is abbreviated, operationalize PE-18(1) by implementing a documented facility-site risk evaluation and decision process mapped to the system boundary and authorization package. Your assessors will still expect a tangible method, records of assessments, and evidence that identified site risks were mitigated or formally accepted. (NIST SP 800-53 Rev. 5)

Who it applies to

Entity scope

• Federal information systems.
• Contractor systems handling federal data where NIST SP 800-53 is flowed down through contract, agency policy, or an authorization framework. (NIST SP 800-53 Rev. 5)

Operational scope (what “sites” usually means) Include any location that materially supports system operation or stores/processes system data, such as:

• Primary data centers, server rooms, network closets.
• Alternate processing sites and disaster recovery facilities.
• Warehouses or staging areas holding system components with sensitive configurations.
• Colocation spaces and leased suites where your organization operates physical IT assets.
• Third-party facilities when you rely on them for critical system hosting (even if the third party owns the building). Treat this as third-party due diligence plus site-risk evaluation. (NIST SP 800-53 Rev. 5)

What you actually need to do (step-by-step)

1) Name a control owner and define the system-to-site inventory

Assign a single accountable owner (often Facilities Security, Physical Security, or Security Engineering) and a GRC coordinator who can produce evidence on demand. Create or update an inventory that maps:

• System authorization boundary → addresses/locations → function (primary, DR, office comms room) → third party vs. owned. (NIST SP 800-53 Rev. 5)

Practical tip: Audits fail when the site list is tribal knowledge. Put it in your CMDB, GRC tool, or SSP annex and treat changes as a control-impacting event. (NIST SP 800-53 Rev. 5)

2) Define site selection and acceptance criteria (one page)

Write criteria that make a site “eligible” and “acceptable” for this system. Keep it specific enough to evaluate, but stable enough to reuse. Typical criteria categories:

• Natural hazard exposure and environmental history (flood, wildfire, seismic, hurricane, extreme heat).
• Critical infrastructure dependencies (power, telecom diversity, water for cooling if applicable).
• Proximity risks (adjacent tenants, high-crime areas, hazardous materials, public access patterns).
• Response capabilities (fire suppression suitability, local emergency response, access for your staff).
• Control feasibility constraints (whether you can install required physical access controls, CCTV, logging, and visitor management). (NIST SP 800-53 Rev. 5)

3) Run a site risk assessment for each in-scope facility

Use a consistent template. For each site, document:

• Site description and role for the system.
• Identified threats and plausible failure modes tied to the location.
• Existing mitigations (physical, environmental, architectural, operational).
• Residual risk statement and decision: accept, mitigate, avoid (relocate), or transfer (contractual/insurance where appropriate). (NIST SP 800-53 Rev. 5 OSCAL JSON)

Make it operational: tie each risk to a ticket, project, or control implementation record. If you cannot mitigate quickly, document interim compensating controls. (NIST SP 800-53 Rev. 5)

4) Implement mitigations and record completion

Common mitigation types include:

• Power resilience: UPS/generator testing evidence, dual power feeds where available, runtime calculations where relevant.
• Telecom resilience: diverse carriers/entrances, documented failover tests.
• Physical protections: perimeter controls, mantraps, badge enforcement, visitor escort rules, camera coverage.
• Environmental controls: HVAC monitoring, leak detection, fire detection/suppression appropriateness, temperature/humidity alerting.
• Location risk mitigation: relocate critical functions away from known hazard exposure, or use alternate processing sites with tested failover. (NIST SP 800-53 Rev. 5)

Do not list mitigations you do not control. For third-party sites, the mitigation is often contractual plus assurance evidence (attestations, reports, right-to-audit clauses) and documented acceptance of what you cannot change. (NIST SP 800-53 Rev. 5)

5) Add triggers for re-review (so the control stays alive)

Define events that force a re-assessment:

• Facility move, remodel, or lease change that affects control feasibility.
• Significant incident (flooding near site, extended power outage, civil disruption near facility).
• Material system change (increased criticality, data type change, boundary expansion to new rooms). (NIST SP 800-53 Rev. 5)

6) Map to your governance artifacts (SSP, risk register, POA&M)

Auditors want to see linkage:

• SSP: where the system operates and how physical/environmental controls are met.
• Risk register: site risks with owners and treatment decisions.
• POA&M: open items tied to site mitigations with milestones and closure evidence. (NIST SP 800-53 Rev. 5)

Where Daydream fits naturally: Daydream can track PE-18(1) as a requirement with a control owner, implementation procedure, and recurring evidence artifacts so re-assessments do not depend on individual memory. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Required evidence and artifacts to retain

Maintain evidence in a form you can hand to an assessor quickly:

• Facility site inventory for the system boundary (locations, roles, ownership).
• Site selection/acceptance criteria approved by Security and relevant leadership.
• Site risk assessment per facility, with risks, mitigations, and residual risk decisions.
• Approval records (risk acceptance memo, meeting minutes, sign-off in GRC workflow).
• Mitigation evidence: work orders, photos of installed controls where appropriate, monitoring screenshots, test records, maintenance logs.
• Third-party artifacts (if applicable): contract clauses, shared responsibility matrix, assurance reports or audit summaries you are entitled to retain.
• Re-review triggers and change records showing the process fires when sites or system needs change. (NIST SP 800-53 Rev. 5)

Common exam/audit questions and hangups

Assessors often probe:

• “Show me the list of facilities in the authorization boundary. How do you know it’s complete?”
• “Where is your documented basis for selecting this site?”
• “What location-specific hazards did you evaluate, and where are the results?”
• “Which risks are accepted, by whom, and where is the sign-off?”
• “How do you reassess when conditions change or when you add a new site?” (NIST SP 800-53 Rev. 5)

Hangup to expect: teams confuse “we have building security” with “we assessed location risk.” PE-18(1) wants the decision logic and evidence trail, not only the presence of controls. (NIST SP 800-53 Rev. 5)

Frequent implementation mistakes (and how to avoid them)

1. No defined scope of “site.”
   Fix: tie sites to the system boundary and business continuity dependencies; document what is excluded and why. (NIST SP 800-53 Rev. 5)

2. A one-time assessment that never gets refreshed.
   Fix: add change triggers and assign an owner who is notified on moves, lease changes, and major outages. (NIST SP 800-53 Rev. 5)

3. Third-party sites treated as out of scope.
   Fix: include them as shared-responsibility sites; document what you can verify and what you accept contractually. (NIST SP 800-53 Rev. 5)

4. Mitigations described but not evidenced.
   Fix: require closure artifacts (tickets, test results, maintenance logs) before marking risks as treated. (NIST SP 800-53 Rev. 5 OSCAL JSON)

5. Risk acceptance with no accountable approver.
   Fix: define who can accept facility site risk by impact level and require a recorded decision. (NIST SP 800-53 Rev. 5)

Enforcement context and risk implications

No public enforcement cases are provided in your source catalog for this requirement, so treat “enforcement” as audit and authorization risk rather than a penalty-driven requirement. The operational risk is real: poor site choices show up as availability incidents, safety issues, and inability to meet physical control expectations because the facility cannot support them. For federal work, weak PE-18(1) evidence commonly becomes an assessment finding, delays authorization, or increases continuous monitoring scrutiny. (NIST SP 800-53 Rev. 5)

Practical 30/60/90-day execution plan

Because the data provided does not include prescribed timelines, treat these phases as sequencing rather than mandatory durations.

Immediate (stabilize and define)

• Assign control owner and GRC coordinator; document RACI for Facilities/Security/IT.
• Build the in-scope site inventory tied to the system boundary.
• Draft site selection and acceptance criteria; route for approval. (NIST SP 800-53 Rev. 5)

Near-term (assess and decide)

• Complete a site risk assessment for each facility.
• Record risk treatment decisions and required mitigations in the risk register and POA&M.
• For third-party sites, document shared responsibility and collect available assurance evidence. (NIST SP 800-53 Rev. 5)

Ongoing (operate and re-validate)

• Implement mitigations and retain closure evidence.
• Add re-review triggers into change management (facilities moves, major incidents, boundary changes).
• Run periodic internal checkups to confirm evidence is current and retrievable. Daydream-style evidence mapping keeps this from becoming a scramble before audits. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Frequently Asked Questions

What counts as a “facility site” for PE-18(1)?

Any physical location that materially supports the system’s operation or stores/processes system data should be evaluated as a site. Include owned facilities and relevant third-party facilities where your system depends on the location. (NIST SP 800-53 Rev. 5)

Do we need a separate site risk assessment for every office?

Focus on sites that host system components or perform critical system functions. If an office has no system infrastructure and no sensitive processing, document the rationale for excluding it from the PE-18(1) site list. (NIST SP 800-53 Rev. 5)

How do we handle cloud or SaaS where we don’t control the facility?

Treat the provider’s hosting locations as third-party sites and document shared responsibility, contractual commitments, and whatever assurance artifacts you can obtain. Record residual risks you cannot mitigate directly and the approver who accepted them. (NIST SP 800-53 Rev. 5)

What evidence is most persuasive to an assessor?

A complete site inventory tied to the authorization boundary, a repeatable site assessment template with completed assessments, and decision records that link risks to mitigations or acceptance. Closed-loop mitigation evidence (tickets, test records) prevents “paper compliance.” (NIST SP 800-53 Rev. 5)

Who should sign off on residual facility site risk?

Define an internal risk acceptance authority aligned to your governance model (often the system owner and security leadership). The key is a recorded, attributable decision that matches your stated criteria. (NIST SP 800-53 Rev. 5)

How do we keep PE-18(1) current without creating constant work?

Use event-based triggers tied to change management and incident management rather than frequent scheduled reassessments. Store evidence and tasks in a system of record so updates happen as part of normal operational workflows. (NIST SP 800-53 Rev. 5)