Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation.
NIST 800-53 (r4) Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related control: PE-15.
NIST 800-53 (r5) Discussion:
Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery.
38North Guidance:
Meets Minimum Requirement:
Includes ability to shutoff power to the information system OR individual system components.
Emergency Power Off (EPO) switches are obviously marked, but limited in access to only those personally who would have approved access to the system (e.g. within, not outside, a server cage).
Best Practice:
Review regional code, as need for EPO per code is sunsetting. If regional building code does not require facility-wide EPO, consider limiting to just information system and / or components for compliance purposes.
Vibrantly mark emergency shutoff buttons
Indicate that an alarm will sound if activated
House emergency shutoffs in a recessed box or protective covering
For datacenter-wide shutoffs, install in a secure room and include multiple shutoff options (e.g. HVAC, common areas, datacenter areas, etc.) rather than one kill switch.
Consider time delay EPO switches, depending on regional code, particularly for datacenter wide EPO.
Consider dual redundant EPO switches
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Inspect EPO capability and location
Actual testing of EPO is NOT recommended
Obtain the initial emergency power shutoff test performed prior to the operation of the datacenter, if available
CSP Implementation Tips:
AWS: Fully inherited
Azure: Fully inherited
GCP: Fully inherited
Page updated
Report abuse