PE-21: Electromagnetic Pulse Protection

PE-21 requires you to implement defined protections against electromagnetic pulse (EMP) damage for the systems, equipment, and facilities in scope of your security boundary, and to keep evidence that those protections are designed, installed, and maintained. Operationalize it by scoping what must survive an EMP event, selecting feasible protective measures, and proving ongoing readiness through inspections and change control. ¹

Key takeaways:

• Scope first: define which assets and locations must be protected from EMP within your authorization boundary.
• Implement layered protections: facility hardening, shielding, surge protection, grounding, and resilient architecture.
• Evidence wins audits: diagrams, installation records, test/inspection logs, and change approvals tied to the EMP strategy.

PE-21: electromagnetic pulse protection requirement is a physical and environmental protection control from NIST SP 800-53 Rev. 5. It is rarely “owned” cleanly because it sits between facilities, IT infrastructure, and security governance. That ownership gap is where programs fail: teams can describe generic power protection, but cannot show an EMP-specific decision, documented scope, and maintained safeguards aligned to the system boundary. ²

As the Compliance Officer, CCO, or GRC lead, your job is to turn an abstract requirement into an assessable implementation. That means: (1) decide what you are protecting (and why), (2) document the protective approach in a way facilities and IT can execute, and (3) retain evidence that the approach stays valid as sites, racks, and providers change. You do not need to be an electrical engineer to pass PE-21, but you do need a defensible plan, clear control ownership, and repeatable artifacts that an assessor can trace from requirement to implementation to ongoing operation. ¹

Regulatory text

Control requirement (excerpt): “Employ {{ insert: param, pe-21_odp.01 }} against electromagnetic pulse damage for {{ insert: param, pe-21_odp.02 }}.” ¹

What the operator must do

Because the excerpt is parameterized, your implementation hinges on two decisions you must make explicit and document:

1. What protections you will employ (the “how”): shielding, filtering, grounding/bonding, surge suppression, architectural resilience, protected locations, or equivalent measures appropriate to the environment.
2. What the protections apply to (the “where/what”): specific facilities, rooms, enclosures, systems, or components within your system authorization boundary.

Assessors commonly look for a traceable chain: defined scope → chosen EMP protections → implemented safeguards → maintained evidence. ¹

Plain-English interpretation

PE-21 expects your program to reduce the likelihood that an EMP event disables your ability to operate or recover. Practically, you must show that you:

• Identified EMP as a plausible physical/environmental hazard for in-scope operations.
• Chose EMP protections that match your environment and criticality.
• Installed and maintain those protections, including as equipment and sites change.
• Can prove the above with artifacts that a third party (assessor) can verify. ²

Who it applies to (entity and operational context)

PE-21 most directly applies to:

• Federal information systems and the organizations operating them. ¹
• Contractor systems handling federal data where NIST SP 800-53 controls are flowed down via contract, ATO requirements, or program security plans. ¹

Operationally, it becomes relevant when:

• You operate data centers, comms rooms, SCIF-adjacent spaces, industrial control environments, or mission-critical facilities.
• You have on-prem infrastructure or hybrid dependencies (on-prem network edge, circuits, radios, satellite links, power conditioning, backup generation controls).
• You rely on third-party colocation or cloud, where your obligation shifts toward due diligence and contractual/architectural controls, not facility retrofits you cannot perform.

What you actually need to do (step-by-step)

1) Assign control ownership and decision authority

• Name a primary control owner (often Facilities/Security Engineering) and a GRC accountable owner who keeps scope, documentation, and evidence current.
• Define RACI for: facility modifications, electrical work orders, cabling standards, data center fit-outs, and third-party site selection.

Daydream note (earned mention): Many teams track PE controls in spreadsheets that drift from reality. Daydream-style control mapping (owner, procedure, recurring evidence) prevents “we did it once” implementations that fail at re-assessment. ¹

2) Define EMP protection scope (the “what” and “where”)

Produce a scoped inventory that is audit-friendly:

• Facilities/locations: buildings, floors, rooms, cages, telecom closets, generator rooms, MDF/IDF.
• Systems/components: core network, storage, backup, identity services, boundary protection, ICS controllers, emergency communications.
• Dependencies: power feeds, UPS, ATS, generators, grounding bus, external circuits, antenna feeds.

Minimum output: an “EMP Scope Statement” that ties directly to your system boundary and critical services.

3) Choose an EMP protection strategy (layered and realistic)

Document your selected approach as a set of design controls. Examples you can combine:

• Physical shielding/enclosures for critical equipment areas (Faraday-style room/cabinet approaches where feasible).
• Cable entry protection (filtered penetrations, protected conduits, minimized antenna/copper exposure where risk warrants).
• Surge suppression and power conditioning (device-level and panel-level protection).
• Grounding and bonding practices aligned to your facility electrical design.
• Architectural resilience (segmentation, redundancy, failover locations, offline backups, spares).

Your documentation should answer: Why these protections are appropriate for your environment and risk appetite, and how you will keep them intact through changes.

4) Translate strategy into implementable requirements (design standards + work orders)

Turn “EMP protection” into work that facilities and IT can execute:

• Create or update a data center/closet build standard that includes EMP-related requirements (shielding needs, permitted penetrations, grounding checks, approved surge protection models, labeling).
• Require engineering review for changes affecting cable paths, racks, power distribution, or room construction.
• Add procurement specs for critical equipment (EMP-related hardening expectations where applicable).

5) Address third-party facilities and cloud realistically

If you cannot modify the facility (colocation, cloud):

• Document compensating controls: multi-region architecture, rapid rebuild, immutable backups, alternative comms paths, tested recovery runbooks.
• Perform third-party due diligence: request facility resiliency attestations and confirm responsibilities in contracts and shared responsibility matrices.
• Keep a decision record explaining why facility-level EMP hardening is not possible and how resilience objectives are met.

6) Operationalize: inspections, maintenance, and change control

Auditors expect PE-21 to be maintained, not declared.

• Add EMP-related items to preventive maintenance and inspection checklists (grounding integrity, surge protector replacement intervals per manufacturer guidance, enclosure integrity, penetration management).
• Tie EMP safeguards to configuration/change management so remodels or equipment refreshes do not break shielding, grounding, or filtering assumptions.
• Record exceptions with risk acceptance approvals and compensating controls.

Required evidence and artifacts to retain

Keep artifacts that show scope, implementation, and ongoing operation:

Core governance

• PE-21 control narrative (how you meet the requirement) mapped to owners and procedures. ¹
• EMP Scope Statement tied to the system boundary and critical services.
• Risk assessment entries covering EMP as a physical/environmental threat assumption (even if likelihood is low, the decision must be explicit).

Engineering and implementation

• Facility and rack diagrams showing protected areas, cable entry points, grounding layout (as available).
• Bills of materials and installation records for shielding, surge protection, filters, grounding upgrades.
• Commissioning reports or acceptance checklists for build-outs or retrofits.

Operational run-state

• Preventive maintenance schedules and completed inspection logs.
• Change tickets with approvals for modifications affecting protected spaces.
• Exception register and risk acceptances for gaps or deferred work.

Common exam/audit questions and hangups

Expect questions like:

• “What exactly is in scope for EMP protection, and how did you decide?”
• “Show me where EMP protections are documented in engineering standards.”
• “What evidence proves the protections are installed and still intact?”
• “How do you prevent a remodel or cable pull from breaking the protection?”
• “If you’re in colocation/cloud, what do you control, and what do you verify?”

Frequent hangup: teams present general power/UPS resilience and call it EMP. If your documentation never names EMP and never ties measures to EMP damage, an assessor can mark PE-21 as not satisfied even if you have strong general resilience.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	How to avoid it
Treating EMP as “someone else’s problem” (facilities only)	No audit trail, no boundary mapping, no governance	Assign a GRC accountable owner and require evidence cycles. 1
No explicit scope	Assessors can’t determine coverage	Publish an EMP scope statement tied to the authorization boundary.
Confusing EMP with lightning/surge generally	Wrong threat model, weak narrative	Document how selected measures address EMP damage specifically; note where surge protection is part of a layered approach.
No ongoing maintenance proof	“Installed once” does not equal “effective now”	Put inspections and change control hooks in your PE procedures and retain logs.
Third-party reliance without contracts/evidence	You can’t show responsibility or assurance	Keep shared responsibility documentation, due diligence responses, and architecture compensations.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for PE-21, so this page does not cite enforcement outcomes.

Risk implications still matter operationally:

• Availability and mission impact: EMP-related events can cause widespread component failure and extended recovery, especially where spares and rebuild paths are not planned.
• Assessment risk: The most common “practical failure” is evidence. If you cannot show what protections exist and how you maintain them, PE-21 becomes a documentation gap even if some protections are present. ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize governance and scope)

• Assign PE-21 control owner, GRC accountable, and facilities/IT points of contact.
• Publish EMP Scope Statement (facilities + critical components + third-party sites).
• Draft the PE-21 control narrative: chosen EMP protection approach and how it is maintained. ¹
• Stand up an evidence register: what artifacts exist now, what must be created, where stored.

Days 31–60 (standardize and close obvious gaps)

• Convert strategy into build and change standards (data closet/DC standard, cabling/penetration rules, grounding/surge requirements).
• Identify top gaps: unprotected critical rooms, undocumented grounding, unmanaged penetrations, missing maintenance records.
• For third-party facilities/cloud: collect due diligence responses, document compensating controls, and record shared responsibility boundaries.

Days 61–90 (prove ongoing operation)

• Run the first maintenance/inspection cycle and file completed logs.
• Run a controlled change (or tabletop) to validate that change management catches modifications impacting EMP protections.
• Finalize assessor-ready package: diagrams, standards, tickets, exception register, and control mapping with owners and recurring evidence expectations. ¹

Frequently Asked Questions

Do I need a Faraday cage to meet PE-21?

Not necessarily. PE-21 is parameterized, so you must define reasonable protections for your environment and document why they are appropriate. If you do not use shielding, make the compensating measures and rationale explicit. ¹

How do I scope PE-21 in a cloud-first environment?

Scope what you control (network edge, endpoints, backup media handling, comms circuits) and document what the cloud provider controls. Then show compensating controls such as multi-region design and recovery capability, plus third-party due diligence artifacts. ²

What evidence is most persuasive to an assessor?

A tight chain of scope statement, engineering standards, diagrams, installation/work orders, and maintenance/change records. If you only have a policy statement with no facility artifacts, expect a finding. ¹

Who should “own” PE-21 internally?

Facilities or physical security often owns implementation, but GRC must own the requirement mapping and evidence cadence. If ownership is split, document the RACI so assessors see accountability. ²

How do we handle sites we lease where we can’t make electrical changes?

Record the constraint, perform due diligence, and document compensating controls that meet your availability objectives. Keep the lease/contract clauses and the risk acceptance or mitigation plan as evidence. ²

What’s the fastest way to get PE-21 audit-ready?

Start by mapping PE-21 to a named control owner, a written procedure, and a recurring evidence list, then fill the evidence gaps in priority order. That mapping is the backbone you will reuse at every assessment cycle. ¹

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5