PE-20: Asset Monitoring and Tracking

PE-20 sits in the Physical and Environmental Protection (PE) family in NIST SP 800-53 Rev. 5 and focuses on a practical problem: assets move, and untracked movement becomes data loss, system compromise, or an incident reporting event. The control is intentionally parameterized; you choose (1) how you track, (2) what you track, and (3) where tracking applies. That flexibility is useful, but it also creates audit risk if you never write down those parameters or you track “everything” loosely with no operational rigor.

For a CCO, GRC lead, or Compliance Officer, the fastest path is to treat PE-20 like an operational requirement with a clear boundary: “Within these facilities/areas, these assets must be tracked by these methods, with these records retained.” Then build a small set of procedures that make movement visible: check-in/check-out, chain-of-custody for removals, and periodic reconciliation against an authoritative asset inventory. Your goal is simple to state and hard to fake: you should be able to answer “Where is asset X, and when did it move?” with evidence.

Regulatory text

NIST control requirement (excerpt): “Employ {{ insert: param, pe-20_odp.01 }} to track and monitor the location and movement of {{ insert: param, pe-20_odp.02 }} within {{ insert: param, pe-20_odp.03 }}.” ¹

Operator interpretation: You must (a) define the tracking/monitoring methods you will use, (b) define the assets covered, and (c) define the facility/area boundary where you will track movement. Then you must operate the control so asset location and movement are actually monitored, not just “recorded once at purchase.” ²

Plain-English interpretation of the requirement

PE-20 requires a working system that detects, records, and supports investigation of asset movement inside your controlled space. “Assets” can include IT equipment (servers, laptops), removable media, network gear, specialized devices, or high-impact components tied to system authorization. “Within” means a defined physical boundary: a data center floor, a locked cage, a wiring closet, a lab, or an office suite.

If an asset can walk out of the boundary without a record, PE-20 is not operating. If you can’t prove where it is or when it moved, PE-20 is not testable.

Who it applies to (entity and operational context)

PE-20 commonly applies to:

• Federal information systems and the organizations operating them under NIST SP 800-53 ².
• Contractor systems handling federal data, including service providers and integrators, where physical assets support the authorized system boundary ².

Operationally, this hits:

• Data centers and colocation cages you control.
• Corporate offices where endpoints or sensitive equipment are staged.
• Labs, repair benches, and “IT storage rooms” where assets frequently change hands.
• Shipping/receiving and depot workflows, especially for returns and replacements.

What you actually need to do (step-by-step)

Use this sequence to stand up PE-20 quickly and make it auditable.

1) Set the PE-20 parameters (write them down)

Document three parameters explicitly:

1. Tracking method(s) (pe-20_odp.01): examples include barcode + scanning workflow, RFID, asset agent with geolocation for endpoints, badge-controlled storage logs, or a combination.
2. Asset scope (pe-20_odp.02): pick categories that matter to your system boundary and threat model (servers, network devices, backup media, admin laptops, HSMs, etc.).
3. Facility boundary (pe-20_odp.03): name buildings, rooms, cages, or controlled areas.

Deliverable: a short “PE-20 Control Statement” that auditors can test against, mapped to a control owner and procedure ¹.

2) Establish the authoritative asset inventory

You need one system of record for in-scope assets:

• Unique asset identifier (tag ID + serial number).
• Asset type/category and system association (authorized boundary mapping).
• Current owner/custodian (person or team).
• Current location (site/building/room/rack or logical location where appropriate).
• Status (in service, in storage, in transit, disposed).

If you already have a CMDB, make sure it’s accurate for physical assets. If you don’t, start with a controlled spreadsheet only as a bridge, then move to a tool with workflow and audit trails.

3) Implement movement control points (where tracking happens)

Define “movement events” that must generate a record:

• Check-in/check-out from storage.
• Moves between rooms, cages, or racks.
• Transfers between custodians (IT to employee, employee to repair vendor, etc.).
• Shipment events (outbound/inbound), including RMA and disposal pickups.

For each event, require:

• Who approved the move.
• Who executed the move.
• Time/date.
• From-location and to-location.
• Ticket/work order reference (so movement is tied to a business reason).

4) Integrate physical security and IT workflows

PE-20 is stronger when your tracking method is tied to access control:

• If you have badge access logs for a cage/room, align them with movement tickets.
• Restrict who can move assets by role (IT ops, data center techs).
• Require escorts or dual-control for high-sensitivity assets if your risk posture calls for it.

You are building defensibility: “If an asset moved, we can show the authorized workflow and the physical access context.”

5) Create an exception and missing-asset process

Define what happens when:

• A tag is missing or unreadable.
• A device is found in the wrong location.
• A move happened without a ticket.
• An asset can’t be located.

Minimum elements:

• Triage steps (search, validate records, check recent access).
• Escalation path (security, IT, incident response).
• Documentation requirements and closure criteria (inventory corrected, root cause recorded).

6) Reconcile and test the control on a schedule

Auditors expect ongoing operation, not one-time setup. Run periodic reconciliations:

• Physical spot checks in controlled areas.
• Inventory-to-floor and floor-to-inventory checks.
• Review of movement logs for completeness (moves without approvals; approvals without updates).

Keep reconciliation evidence; it is the easiest way to prove ongoing monitoring and tracking.

7) Map ownership, procedure, and recurring evidence (make it sustainable)

Assign:

• Control owner: accountable for design and operation.
• Operators: data center ops, IT asset management, security.
• Evidence cadence: what is produced and where it’s stored.

This “control-to-evidence map” is also how teams operationalize PE-20 without reinventing the process each audit cycle ¹.

Where Daydream fits: Daydream is useful as the system to map PE-20 to an owner, an implementation procedure, and a recurring evidence checklist, so you can collect the same artifacts every cycle and reduce “where is it stored?” churn during assessments.

Required evidence and artifacts to retain

Retain evidence that proves both design (you defined parameters) and operation (you track movement).

Core artifacts (recommended):

• PE-20 control statement with defined tracking method, in-scope assets, and boundary ¹.
• Asset inventory extract showing in-scope assets, unique IDs, and current location.
• Movement logs (from ticketing system, asset tool, RFID/barcode system).
• Samples of completed move tickets/work orders with approvals and location updates.
• Reconciliation reports and results of spot checks (including exceptions and remediation).
• Exception/missing-asset incident records and closure notes.
• Procedures/SOPs for check-in/check-out, transfers, shipments, and disposal.

Common exam/audit questions and hangups

Expect assessors to ask:

• “What assets are in scope for PE-20, and why?”
• “Define the monitored boundary. Which rooms/areas are included or excluded?”
• “Show me how an asset move is recorded end-to-end. Where is the approval?”
• “How do you detect an unauthorized move?”
• “Show your last reconciliation and what you did with discrepancies.”
• “Who owns this control, and what happens if the owner changes roles?”

Hangups that cause findings:

• Inventory exists, but movement records are informal (email/Slack).
• Tags exist, but nobody scans them, so data is stale.
• Boundary is vague (“our offices”) and not testable.
• Storage rooms and repair workflows are unmanaged, so assets “disappear” between states.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	Fix
Tracking everything without a workable process	Operators bypass it; records rot	Narrow scope to assets supporting the system boundary; expand later
Treating inventory as “monitoring”	PE-20 requires tracking movement, not static lists	Add control points and movement events with logs
No link between move and business justification	Auditors can’t validate authorized movement	Require a ticket/work order ID for every move
No exception path	Discrepancies become invisible and recur	Define missing-asset workflow and escalation
Evidence scattered across teams	You can’t assemble a test packet	Maintain a PE-20 evidence register and recurring collection routine

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for PE-20. Practically, failure modes still matter: untracked asset movement increases the likelihood of data exposure, loss of regulated media, and inability to support incident investigations. In federal assessments, missing evidence often becomes a control deficiency even when teams believe they “do asset management.”

Practical 30/60/90-day execution plan

You asked for speed; this plan is designed for operational traction without pretending every environment is identical.

First 30 days (stabilize scope and evidence)

• Name the control owner and operators.
• Define the three PE-20 parameters (method, assets, boundary) and publish the control statement ¹.
• Produce an initial inventory for in-scope assets with unique IDs and locations.
• Stand up a mandatory move ticket type (or mandatory fields) and start capturing movement records.

Days 31–60 (make movement auditable)

• Implement check-in/check-out for storage and staging areas.
• Integrate movement workflow with physical access practices (who can enter asset rooms; escort rules as needed).
• Train operators and do targeted spot checks in the highest-risk areas (storage, repair, shipping/receiving).
• Start an exceptions log and prove closure on discrepancies.

Days 61–90 (prove ongoing operation)

• Run a full reconciliation cycle and retain the report plus remediation actions.
• Sample-test movement events: pick several assets and trace their movement history to tickets and approvals.
• Tighten boundary definitions (rooms, cages, racks) so assessors can test consistently.
• Build an “audit packet” folder: control statement, procedures, inventory extracts, movement samples, reconciliation evidence.

Frequently Asked Questions

What assets should be in scope for PE-20?

Start with assets that support your authorized system boundary and would create security impact if lost or moved without authorization. Typical examples include servers, network devices, admin endpoints, and sensitive removable media; document your chosen scope so it’s testable.

Does PE-20 require RFID, or can we use barcodes and tickets?

PE-20 requires that you employ a defined method to track and monitor movement; it does not mandate a specific technology ¹. Barcodes plus enforced scanning and ticket evidence can satisfy the control if you can prove it works.

What does “within the facility” mean in practice?

Treat it as a named, bounded area that an assessor can verify, such as a data center cage, server room, or locked IT storage area. Write down what is included and excluded, then align procedures and evidence to that boundary.

How do we prove “monitoring,” not just inventory?

Show movement logs tied to approvals and work orders, plus reconciliation results that detect discrepancies. Auditors want to see that assets can’t move through normal operations without a record.

We use a third party data center. Are we still responsible?

If the assets are yours and part of your system boundary, you still need evidence that location and movement are tracked within the relevant area. In practice, you may rely on a mix of your own asset records and the third party’s access/move procedures, but you must be able to produce your assessment evidence.

What evidence do auditors request most often for PE-20?

A current in-scope inventory with locations, a sample of movement tickets/logs showing approvals and updated locations, and a reconciliation report that shows discrepancies and remediation. If you can’t produce those quickly, expect testing friction.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5