RA-6: Technical Surveillance Countermeasures Survey

RA-6 requires you to run technical surveillance countermeasures (TSCM) surveys at defined times and/or locations to detect and mitigate unauthorized eavesdropping or monitoring risks in spaces where sensitive federal work occurs. To operationalize it fast, define the trigger points, scope the spaces, select qualified survey resources, document results and remediation, and retain evidence for assessors. ¹

Key takeaways:

• Treat RA-6 as a facility and operational-security control, not an IT scan; it covers physical spaces where sensitive conversations or activities occur.
• Your biggest audit risk is ambiguity: missing defined “when/where” triggers and missing evidence that surveys occurred and findings were closed.
• Build a repeatable workflow: request → approve → conduct → report → remediate → verify → archive, with clear ownership and retention.

RA-6: technical surveillance countermeasures survey requirement shows up when your system or program processes sensitive federal information and you also rely on physical spaces for that work, such as secure conference rooms, executive offices, war rooms, program areas, or spaces used for incident response or acquisition discussions. The control is short, but operationally it is easy to miss because it sits between security engineering, facilities, and program leadership.

RA-6 does not ask you to “do more monitoring.” It asks you to proactively check for technical surveillance devices or conditions that could enable unauthorized listening, viewing, or signal collection in designated areas, then act on the results. Your implementation needs two things that auditors consistently look for: (1) you defined the required survey cadence/trigger and locations; (2) you can prove surveys were performed and findings were tracked to closure.

This page gives requirement-level guidance you can execute: applicability scoping, a step-by-step procedure, evidence to retain, common audit hangups, and a practical execution plan that gets you to an assessable state without overbuilding. ²

Requirement: RA-6 technical surveillance countermeasures survey requirement (plain English)

RA-6 requires your organization to employ a technical surveillance countermeasures (TSCM) survey at organization-defined parameters. In practice, that means you must:

• Decide where TSCM surveys are required (specific rooms, suites, sites, or mobile environments).
• Decide when they are required (event-driven triggers and/or a recurring schedule).
• Ensure surveys are performed by qualified personnel or a qualified third party.
• Document results and manage remediation to closure. ¹

Why the control exists (operational risk)

RA-6 addresses a risk that doesn’t show up in vulnerability scans: technical eavesdropping. If your teams discuss controlled federal work, security incidents, legal strategy, or acquisition decisions in a space that’s compromised, confidentiality can be lost even if your network is hardened. That risk also extends to hybrid work patterns (temporary project rooms, leased sites, or shared facilities) where physical and RF conditions change often.

Regulatory text

“Employ a technical surveillance countermeasures survey at {{ insert: param, ra-06_odp.01 }} {{ insert: param, ra-06_odp.02 }}.” ¹

Operator interpretation of the placeholders: the “organization-defined parameters” are the crux of RA-6. You must explicitly define the two missing pieces (typically “at [frequency/trigger]” and “at [locations/conditions]”) in your policy/standard and then operate to that definition with evidence.

Who it applies to

Entity scope

• Federal information systems.
• Contractor systems handling federal data. ¹

Operational scope (where RA-6 becomes relevant) RA-6 is typically in scope when you have any of the following:

• Spaces used for handling sensitive federal information, controlled unclassified information (CUI) discussions, or mission-sensitive planning.
• Executive or program leadership spaces where acquisition, incident response, or legal/regulatory decisions are discussed.
• Secure meeting rooms used for remote conferencing where microphones, speakers, cameras, and room systems increase exposure.
• Shared or leased facilities where prior occupants or adjacent tenants create higher uncertainty.

If none of your federal work involves sensitive verbal discussions or physical meetings (rare in practice), you may still need RA-6 to document a rationale and boundary decision rather than silently omitting it.

What you actually need to do (step-by-step)

Use the workflow below as your operating procedure. Keep it short enough that it runs during busy quarters.

Step 1: Assign ownership and RACI

• Control owner: usually Facilities Security, Corporate Security, or an Information System Security Officer (ISSO) depending on your org design.
• Supporting roles: physical security, IT/AV, GRC, site managers.
• Approver: CISO/FSO/CCO-level risk owner for scoped spaces.

Deliverable: RA-6 control record mapping owner, procedure, and evidence artifacts (your SSP/control matrix equivalent). ¹

Step 2: Define “where” (locations in scope)

Create a TSCM scope register with:

• Site/building
• Room name/ID
• Business purpose (e.g., “CUI program reviews”)
• Technology profile (room conferencing system, always-on devices, RF exposure)
• Access profile (public adjacency, shared walls, visitor traffic)

Practical tip: start with a narrow list of “designated sensitive spaces” and expand as you learn. Auditors prefer a defined scope with execution over an aspirational list with no surveys.

Step 3: Define “when” (triggers and cadence)

Write down the conditions that trigger a TSCM survey. Common patterns:

• Before first use of a newly designated sensitive space (new build-out, new lease, renovated room).
• After significant changes (construction nearby, AV replacement, furniture moves that expose wiring/voids).
• After a security incident suggesting possible eavesdropping or unauthorized access.
• Prior to high-sensitivity events (critical negotiations, incident war room activation).

If you also set a recurring cadence, document it. The key is not the specific interval; it is that you set one and follow it with evidence. ¹

Step 4: Select qualified survey resources (internal or third party)

Decide whether surveys are performed by:

• An internal physical security team with training and tools; or
• A specialized third party.

Set minimum qualification criteria in your standard:

• Independence expectations (avoid conflicts where the same team installs and “certifies” the room without review).
• Handling of sensitive findings (reports can contain facility vulnerabilities).

Third-party risk angle: if you use an external TSCM firm, treat them as a high-trust third party. Contract for confidentiality, secure report delivery, retention, and evidence you can show to assessors without disclosing sensitive details broadly.

Step 5: Execute the survey and produce a report you can govern

A usable RA-6 report package includes:

• Date/time, location(s), scope statement
• Methods used (high level, avoid oversharing sensitive detection techniques in widely distributed docs)
• Findings and severity ranking (even a simple High/Medium/Low works if consistent)
• Recommended remediation
• Attestation/signature from the survey lead

Store the full report in a restricted repository. Create a separate “assessor-ready summary” that shows completion and closure status without exposing sensitive room weaknesses.

Step 6: Remediate findings and verify closure

Treat findings like security issues:

• Create tickets with owners and due dates.
• Track compensating controls if remediation is delayed (e.g., temporarily move sensitive meetings to another room).
• Re-test or verify after remediation, especially for repeatable issues (AV cabling, unsecured ceiling access, unmanaged always-on devices).

Step 7: Maintain evidence and prove repeatability

RA-6 commonly fails on “we did it once, then forgot.” Build a lightweight recurring workflow:

• Central intake for survey requests (site managers and program leads can request)
• Calendar triggers tied to facilities change management
• Quarterly review by GRC of “rooms in scope vs surveys completed vs findings open”

Daydream fit: many teams use Daydream to map RA-6 to an owner, define the procedure, and track recurring evidence artifacts so audits don’t turn into inbox archaeology. ¹

Required evidence and artifacts to retain (audit-ready)

Keep evidence that proves definition, execution, and closure:

Evidence	What it should show	Owner
RA-6 policy/standard text	Defined “where” and “when” parameters (the placeholders)	GRC + Security
TSCM scope register	Rooms/sites in scope with rationale	Facilities/Security
Engagement records	Who performed surveys; approvals; any third-party SOW/PO	Security/Procurement
Survey reports (restricted)	Dates, locations, findings, recommendations	Security
Assessor-ready survey summary	Proof of completion without sensitive detail	GRC
Remediation tickets + closure proof	Fixes implemented; verification notes	Facilities/IT/AV
Exception/risk acceptance memos	When remediation is deferred, with compensating controls	Risk owner

Common exam/audit questions and hangups

Expect assessors to press on these points:

1. “Show me your organization-defined parameters.” If you can’t point to written “where/when” criteria, RA-6 will read as undefined. ¹
2. “How did you choose rooms?” They want a rational scope, not “only the CEO asked.”
3. “Prove the survey happened.” Calendar invites are weak alone; keep the report, sign-off, or deliverable receipt.
4. “What did you do about findings?” Open findings without a plan are a common write-up.
5. “How do you keep it current after renovations?” If facilities change management is separate, RA-6 decays quickly.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Treating RA-6 like an IT vulnerability scan.
  Fix: put Facilities/Physical Security in the ownership chain; include AV and building access considerations.

• Mistake: Defining scope too broadly on paper.
  Fix: start with designated sensitive spaces you can actually survey; expand later with a controlled change.

• Mistake: Filing the report and not tracking remediation.
  Fix: require tickets for every finding and a closure verification step.

• Mistake: Over-sharing sensitive survey details.
  Fix: restrict full reports; create an assessor summary that proves compliance without publishing weaknesses.

• Mistake: No trigger tied to construction and AV refresh.
  Fix: add a required RA-6 review step to facilities change approvals for in-scope rooms.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for RA-6, so you should treat this as a control-assessment and contract-performance risk rather than a “named enforcement trend” item. The practical exposure is still real: failure can lead to confidentiality loss in sensitive federal programs, and it can produce assessment findings that affect authorization decisions or customer trust. ¹

Practical execution plan (30/60/90)

Use a staged plan you can run without guessing budgets or durations.

First 30 days (stand up the control)

• Name the RA-6 control owner and approver; publish the RACI.
• Draft the RA-6 standard with explicit “where” and “when” parameters.
• Build the initial TSCM scope register (start with your highest-sensitivity rooms).
• Decide internal vs third-party survey execution; if third-party, start procurement and confidentiality terms.
• Create the evidence repository structure (restricted full reports + assessor summaries). ¹

By 60 days (operate once end-to-end)

• Run pilot surveys for the initial in-scope rooms.
• Produce the first assessor-ready summary and log it in your GRC evidence tracker.
• Open remediation tickets; document compensating controls for any deferred items.
• Add an RA-6 check to facilities change management for in-scope rooms.

By 90 days (stabilize and make it repeatable)

• Expand scope based on pilot lessons (or confirm the initial boundary with rationale).
• Formalize recurring triggers: renovation, moves/adds/changes to AV, incident response activation, high-sensitivity events.
• Run a tabletop review with Facilities + Security + GRC: “What would trigger a survey this quarter?” Adjust the standard.
• Prepare an audit packet: policy, scope register, last survey evidence, and remediation closure log.

Frequently Asked Questions

Do we need RA-6 if we are “cloud-first” and have strong cybersecurity controls?

Yes if sensitive work occurs in physical spaces where conversations or meetings happen. RA-6 targets technical eavesdropping risk in rooms, not network vulnerabilities. ¹

What should we define for the “organization-defined parameters” in RA-6?

Define the locations in scope (rooms/sites) and the triggers or schedule for conducting surveys. Auditors look for written criteria you can follow consistently. ¹

Can we outsource TSCM surveys to a third party?

Yes. Treat the provider as a high-trust third party and contract for confidentiality, secure handling of findings, and deliverables you can retain as evidence.

How do we show evidence without sharing sensitive room vulnerabilities with auditors?

Keep full reports in a restricted repository and create a separate assessor summary showing date, scope, performer, and closure status. Provide full details only under controlled review if required.

What’s the fastest way to fail RA-6 during an assessment?

Having no documented “where/when” parameters, or having surveys performed but no tracked remediation for findings. Either gap makes the control look unmanaged. ¹

How should RA-6 connect to facilities change management?

Add a trigger so renovations, AV replacements, or major room reconfigurations in scoped spaces prompt a TSCM review and, if needed, a survey. That prevents the control from drifting after the initial assessment.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5; NIST SP 800-53 Rev. 5 OSCAL JSON