By name: "PE-6(3)_video-surveillance" description: "Employ video surveillance of [organization-defined];" category: "configuration" version: "5.2.0" author: "cyberstrike-official" tags: - nist - sp800-53 - rev5 - pe-6-3 - pe - enhancement tech_stack: - any cwe_ids: [] chains_with: [] prerequisites: - PE-6 severity_boost: {}
PE-6(3) Video Surveillance
Enhancement of: PE-6
High-Level Description
Family: Physical and Environmental Protection (PE) Framework: NIST SP 800-53 Rev 5
Video surveillance focuses on recording activity in specified areas for the purposes of subsequent review, if circumstances so warrant. Video recordings are typically reviewed to detect anomalous events or incidents. Monitoring the surveillance video is not required, although organizations may choose to do so. There may be legal considerations when performing and retaining video surveillance, especially if such surveillance is in a public location.
What to Check
- Verify PE-6(3) Video Surveillance is documented in SSP
- Validate all 3 control requirements are implemented
- Confirm control is operating effectively
- Review evidence of continuous monitoring for PE-6(3)
- Verify enhancement builds upon base control PE-6
How to Test
Step 1: Review Documentation
Examine the System Security Plan (SSP) and related artifacts for PE-6(3) implementation details. Verify the organization has documented how this control is satisfied.
Step 2: Validate Implementation
# For cloud environments, use cloud-audit-mcp tools
# For on-premises, review system configurations directly
# Example: Check if account management policies exist
grep -r "account.management\|access.control" /etc/security/ 2>/dev/null
Step 3: Test Operating Effectiveness
Verify the control is actively functioning, not just documented. Check logs, configurations, and operational evidence.
Tools
| Tool | Purpose | Usage |
|---|---|---|
| Manual Review | Documentation and interview-based | N/A |
Remediation Guide
Control Statement
Employ video surveillance of [organization-defined]; Review video recordings [organization-defined] ; and Retain video recordings for [organization-defined].
Implementation Guidance
Video surveillance focuses on recording activity in specified areas for the purposes of subsequent review, if circumstances so warrant. Video recordings are typically reviewed to detect anomalous events or incidents. Monitoring the surveillance video is not required, although organizations may choose to do so. There may be legal considerations when performing and retaining video surveillance, especially if such surveillance is in a public location.
Risk Assessment
| Finding | Severity | Impact |
|---|---|---|
| PE-6(3) Video Surveillance not implemented | Medium | Physical and Environmental Protection |
| PE-6(3) partially implemented | Low | Incomplete Physical and Environmental Protection |
CWE Categories
| CWE ID | Title |
|---|---|
| N/A | No direct CWE mapping |
References
- NIST SP 800-53 Rev 5 - PE-6(3)
- NIST SP 800-53A Rev 5 (Assessment Procedures)
- NIST SP 800-53 Rev 5 Full Catalog
Checklist
- Control documented in SSP
- Implementation evidence collected
- Operating effectiveness validated
- Continuous monitoring in place
- Related controls (none) reviewed