compliance controls are associated with this Policy definition 'Manage nonlocal maintenance and diagnostic activities' (1fb1cb0e-1936-6f32-42fd-89970b535855)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
MA-2 |
FedRAMP_High_R4_MA-2 |
FedRAMP High MA-2 |
Maintenance |
Controlled Maintenance |
Shared |
n/a |
The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.
Supplemental Guidance: This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by
the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2.
References: None. |
link |
4 |
| FedRAMP_High_R4 |
MA-3 |
FedRAMP_High_R4_MA-3 |
FedRAMP High MA-3 |
Maintenance |
Maintenance Tools |
Shared |
n/a |
The organization approves, controls, and monitors information system maintenance tools.
Supplemental Guidance: This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6.
References: NIST Special Publication 800-88. |
link |
2 |
| FedRAMP_High_R4 |
MA-3(1) |
FedRAMP_High_R4_MA-3(1) |
FedRAMP High MA-3 (1) |
Maintenance |
Inspect Tools |
Shared |
n/a |
The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Supplemental Guidance: If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. Related control: SI-7. |
link |
2 |
| FedRAMP_High_R4 |
MA-3(2) |
FedRAMP_High_R4_MA-3(2) |
FedRAMP High MA-3 (2) |
Maintenance |
Inspect Media |
Shared |
n/a |
The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.
Supplemental Guidance: If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. Related control: SI-3. |
link |
2 |
| FedRAMP_High_R4 |
MA-3(3) |
FedRAMP_High_R4_MA-3(3) |
FedRAMP High MA-3 (3) |
Maintenance |
Prevent Unauthorized Removal |
Shared |
n/a |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.
Supplemental Guidance: Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards. |
link |
4 |
| FedRAMP_High_R4 |
MA-4 |
FedRAMP_High_R4_MA-4 |
FedRAMP High MA-4 |
Maintenance |
Nonlocal Maintenance |
Shared |
n/a |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed.
Supplemental Guidance: Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17.
References: FIPS Publications 140-2, 197, 201; NIST Special Publications 800-63, 800-88; CNSS Policy 15. |
link |
1 |
| FedRAMP_High_R4 |
MA-4(2) |
FedRAMP_High_R4_MA-4(2) |
FedRAMP High MA-4 (2) |
Maintenance |
Document Nonlocal Maintenance |
Shared |
n/a |
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. |
link |
1 |
| FedRAMP_Moderate_R4 |
MA-2 |
FedRAMP_Moderate_R4_MA-2 |
FedRAMP Moderate MA-2 |
Maintenance |
Controlled Maintenance |
Shared |
n/a |
The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.
Supplemental Guidance: This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by
the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2.
References: None. |
link |
4 |
| FedRAMP_Moderate_R4 |
MA-3 |
FedRAMP_Moderate_R4_MA-3 |
FedRAMP Moderate MA-3 |
Maintenance |
Maintenance Tools |
Shared |
n/a |
The organization approves, controls, and monitors information system maintenance tools.
Supplemental Guidance: This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6.
References: NIST Special Publication 800-88. |
link |
2 |
| FedRAMP_Moderate_R4 |
MA-3(1) |
FedRAMP_Moderate_R4_MA-3(1) |
FedRAMP Moderate MA-3 (1) |
Maintenance |
Inspect Tools |
Shared |
n/a |
The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Supplemental Guidance: If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. Related control: SI-7. |
link |
2 |
| FedRAMP_Moderate_R4 |
MA-3(2) |
FedRAMP_Moderate_R4_MA-3(2) |
FedRAMP Moderate MA-3 (2) |
Maintenance |
Inspect Media |
Shared |
n/a |
The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.
Supplemental Guidance: If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. Related control: SI-3. |
link |
2 |
| FedRAMP_Moderate_R4 |
MA-3(3) |
FedRAMP_Moderate_R4_MA-3(3) |
FedRAMP Moderate MA-3 (3) |
Maintenance |
Prevent Unauthorized Removal |
Shared |
n/a |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.
Supplemental Guidance: Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards. |
link |
4 |
| FedRAMP_Moderate_R4 |
MA-4 |
FedRAMP_Moderate_R4_MA-4 |
FedRAMP Moderate MA-4 |
Maintenance |
Nonlocal Maintenance |
Shared |
n/a |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed.
Supplemental Guidance: Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17.
References: FIPS Publications 140-2, 197, 201; NIST Special Publications 800-63, 800-88; CNSS Policy 15. |
link |
1 |
| FedRAMP_Moderate_R4 |
MA-4(2) |
FedRAMP_Moderate_R4_MA-4(2) |
FedRAMP Moderate MA-4 (2) |
Maintenance |
Document Nonlocal Maintenance |
Shared |
n/a |
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. |
link |
1 |
| hipaa |
0301.09o1Organizational.123-09.o |
hipaa-0301.09o1Organizational.123-09.o |
0301.09o1Organizational.123-09.o |
03 Portable Media Security |
0301.09o1Organizational.123-09.o 09.07 Media Handling |
Shared |
n/a |
The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. |
|
14 |
| hipaa |
0305.09q1Organizational.12-09.q |
hipaa-0305.09q1Organizational.12-09.q |
0305.09q1Organizational.12-09.q |
03 Portable Media Security |
0305.09q1Organizational.12-09.q 09.07 Media Handling |
Shared |
n/a |
Media is labeled, encrypted, and handled according to its classification. |
|
7 |
| hipaa |
0408.01y3Organizational.12-01.y |
hipaa-0408.01y3Organizational.12-01.y |
0408.01y3Organizational.12-01.y |
04 Mobile Device Security |
0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Prior to authorizing teleworking, (i) the organization provides a definition of the work permitted, standard operating hours, classification of information that may be held/stored, and the internal systems and services that the teleworker is authorized to access; (ii) suitable equipment and storage furniture for the teleworking activities, where the use of privately owned equipment not under the control of the organization is forbidden; (iii) suitable communications equipment, including methods for securing remote access; (iv) rules and guidance on family and visitor access to equipment and information; (v) hardware and software support and maintenance; (vi) procedures for back-up and business continuity; (vii) a means for teleworkers to communicate with information security personnel in case of security incidents or problems; and, (viii) audit and security monitoring. |
|
5 |
| hipaa |
0415.01y1Organizational.10-01.y |
hipaa-0415.01y1Organizational.10-01.y |
0415.01y1Organizational.10-01.y |
04 Mobile Device Security |
0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Suitable protections of the teleworking site are in place to protect against the theft of equipment and information, the unauthorized disclosure of information, and unauthorized remote access to the organization's internal systems or misuse of facilities. |
|
5 |
| hipaa |
0416.01y3Organizational.4-01.y |
hipaa-0416.01y3Organizational.4-01.y |
0416.01y3Organizational.4-01.y |
04 Mobile Device Security |
0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
The organization instructs all personnel working from home to implement fundamental security controls and practices; including, but not limited to, passwords, virus protection, personal firewalls, laptop cable locks, recording serial numbers and other identification information about laptops, and disconnecting modems at alternate worksites. |
|
4 |
| hipaa |
18110.08j1Organizational.5-08.j |
hipaa-18110.08j1Organizational.5-08.j |
18110.08j1Organizational.5-08.j |
18 Physical & Environmental Security |
18110.08j1Organizational.5-08.j 08.02 Equipment Security |
Shared |
n/a |
The organization monitors and controls non-local maintenance and diagnostic activities; and prohibits non-local system maintenance unless explicitly authorized, in writing, by the CIO or his/her designated representative. |
|
4 |
| hipaa |
18112.08j3Organizational.4-08.j |
hipaa-18112.08j3Organizational.4-08.j |
18112.08j3Organizational.4-08.j |
18 Physical & Environmental Security |
18112.08j3Organizational.4-08.j 08.02 Equipment Security |
Shared |
n/a |
The organization documents the requirements (e.g., policies and procedures) for the establishment and use of non-local maintenance and diagnostic connections in the security plan for the information system. |
|
3 |
| hipaa |
1819.08j1Organizational.23-08.j |
hipaa-1819.08j1Organizational.23-08.j |
1819.08j1Organizational.23-08.j |
18 Physical & Environmental Security |
1819.08j1Organizational.23-08.j 08.02 Equipment Security |
Shared |
n/a |
Maintenance and service are controlled and conducted by authorized personnel in accordance with supplier-recommended intervals, insurance policies and the organization’s maintenance program, taking into account whether this maintenance is performed by personnel on site or external to the organization. |
|
7 |
| hipaa |
1820.08j2Organizational.1-08.j |
hipaa-1820.08j2Organizational.1-08.j |
1820.08j2Organizational.1-08.j |
18 Physical & Environmental Security |
1820.08j2Organizational.1-08.j 08.02 Equipment Security |
Shared |
n/a |
Covered information is cleared from equipment prior to maintenance unless explicitly authorized. |
|
2 |
| hipaa |
1821.08j2Organizational.3-08.j |
hipaa-1821.08j2Organizational.3-08.j |
1821.08j2Organizational.3-08.j |
18 Physical & Environmental Security |
1821.08j2Organizational.3-08.j 08.02 Equipment Security |
Shared |
n/a |
Following maintenance, security controls are checked and verified. |
|
4 |
| hipaa |
1822.08j2Organizational.2-08.j |
hipaa-1822.08j2Organizational.2-08.j |
1822.08j2Organizational.2-08.j |
18 Physical & Environmental Security |
1822.08j2Organizational.2-08.j 08.02 Equipment Security |
Shared |
n/a |
Records of maintenance are maintained. |
|
4 |
| hipaa |
1823.08j3Organizational.12-08.j |
hipaa-1823.08j3Organizational.12-08.j |
1823.08j3Organizational.12-08.j |
18 Physical & Environmental Security |
1823.08j3Organizational.12-08.j 08.02 Equipment Security |
Shared |
n/a |
Tools for maintenance are approved, controlled, monitored and periodically checked. |
|
2 |
| hipaa |
1824.08j3Organizational.3-08.j |
hipaa-1824.08j3Organizational.3-08.j |
1824.08j3Organizational.3-08.j |
18 Physical & Environmental Security |
1824.08j3Organizational.3-08.j 08.02 Equipment Security |
Shared |
n/a |
Media containing diagnostic and test programs are checked for malicious code prior to use. |
|
2 |
| ISO27001-2013 |
A.11.2.4 |
ISO27001-2013_A.11.2.4 |
ISO 27001:2013 A.11.2.4 |
Physical And Environmental Security |
Equipment maintenance |
Shared |
n/a |
Equipment shall be correctly maintained to ensure its continued availability and integrity. |
link |
9 |
| ISO27001-2013 |
A.11.2.5 |
ISO27001-2013_A.11.2.5 |
ISO 27001:2013 A.11.2.5 |
Physical And Environmental Security |
Removal of assets |
Shared |
n/a |
Equipment, information or software shall not be taken off-site without prior authorization. |
link |
6 |
| ISO27001-2013 |
A.12.1.2 |
ISO27001-2013_A.12.1.2 |
ISO 27001:2013 A.12.1.2 |
Operations Security |
Change management |
Shared |
n/a |
Changes to organization, business processes, information processing facilities and systems that affect information security shall be controlled. |
link |
27 |
| ISO27001-2013 |
A.12.2.1 |
ISO27001-2013_A.12.2.1 |
ISO 27001:2013 A.12.2.1 |
Operations Security |
Controls against malware |
Shared |
n/a |
Detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. |
link |
12 |
|
mp.eq.2 User session lockout |
mp.eq.2 User session lockout |
404 not found |
|
|
|
n/a |
n/a |
|
29 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.si.3 Custody |
mp.si.3 Custody |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
| NIST_SP_800-171_R2_3 |
.7.2 |
NIST_SP_800-171_R2_3.7.2 |
NIST SP 800-171 R2 3.7.2 |
Maintenance |
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers. |
link |
4 |
| NIST_SP_800-171_R2_3 |
.7.3 |
NIST_SP_800-171_R2_3.7.3 |
NIST SP 800-171 R2 3.7.3 |
Maintenance |
Ensure equipment removed for off-site maintenance is sanitized of any CUI. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). [SP 800-88] provides guidance on media sanitization. |
link |
3 |
| NIST_SP_800-171_R2_3 |
.7.4 |
NIST_SP_800-171_R2_3.7.4 |
NIST SP 800-171 R2 3.7.4 |
Maintenance |
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures. |
link |
2 |
| NIST_SP_800-171_R2_3 |
.7.5 |
NIST_SP_800-171_R2_3.7.5 |
NIST SP 800-171 R2 3.7.5 |
Maintenance |
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through an external network. The authentication techniques employed in the establishment of these nonlocal maintenance and diagnostic sessions reflect the network access requirements in 3.5.3. |
link |
1 |
| NIST_SP_800-53_R4 |
MA-2 |
NIST_SP_800-53_R4_MA-2 |
NIST SP 800-53 Rev. 4 MA-2 |
Maintenance |
Controlled Maintenance |
Shared |
n/a |
The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.
Supplemental Guidance: This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by
the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2.
References: None. |
link |
4 |
| NIST_SP_800-53_R4 |
MA-3 |
NIST_SP_800-53_R4_MA-3 |
NIST SP 800-53 Rev. 4 MA-3 |
Maintenance |
Maintenance Tools |
Shared |
n/a |
The organization approves, controls, and monitors information system maintenance tools.
Supplemental Guidance: This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6.
References: NIST Special Publication 800-88. |
link |
2 |
| NIST_SP_800-53_R4 |
MA-3(1) |
NIST_SP_800-53_R4_MA-3(1) |
NIST SP 800-53 Rev. 4 MA-3 (1) |
Maintenance |
Inspect Tools |
Shared |
n/a |
The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Supplemental Guidance: If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. Related control: SI-7. |
link |
2 |
| NIST_SP_800-53_R4 |
MA-3(2) |
NIST_SP_800-53_R4_MA-3(2) |
NIST SP 800-53 Rev. 4 MA-3 (2) |
Maintenance |
Inspect Media |
Shared |
n/a |
The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.
Supplemental Guidance: If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. Related control: SI-3. |
link |
2 |
| NIST_SP_800-53_R4 |
MA-3(3) |
NIST_SP_800-53_R4_MA-3(3) |
NIST SP 800-53 Rev. 4 MA-3 (3) |
Maintenance |
Prevent Unauthorized Removal |
Shared |
n/a |
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.
Supplemental Guidance: Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards. |
link |
4 |
| NIST_SP_800-53_R4 |
MA-4 |
NIST_SP_800-53_R4_MA-4 |
NIST SP 800-53 Rev. 4 MA-4 |
Maintenance |
Nonlocal Maintenance |
Shared |
n/a |
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed.
Supplemental Guidance: Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17.
References: FIPS Publications 140-2, 197, 201; NIST Special Publications 800-63, 800-88; CNSS Policy 15. |
link |
1 |
| NIST_SP_800-53_R4 |
MA-4(2) |
NIST_SP_800-53_R4_MA-4(2) |
NIST SP 800-53 Rev. 4 MA-4 (2) |
Maintenance |
Document Nonlocal Maintenance |
Shared |
n/a |
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. |
link |
1 |
| NIST_SP_800-53_R5 |
MA-2 |
NIST_SP_800-53_R5_MA-2 |
NIST SP 800-53 Rev. 5 MA-2 |
Maintenance |
Controlled Maintenance |
Shared |
n/a |
a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;
c. Require that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;
d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: [Assignment: organization-defined information];
e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and
f. Include the following information in organizational maintenance records: [Assignment: organization-defined information]. |
link |
4 |
| NIST_SP_800-53_R5 |
MA-3 |
NIST_SP_800-53_R5_MA-3 |
NIST SP 800-53 Rev. 5 MA-3 |
Maintenance |
Maintenance Tools |
Shared |
n/a |
a. Approve, control, and monitor the use of system maintenance tools; and
b. Review previously approved system maintenance tools [Assignment: organization-defined frequency]. |
link |
2 |
| NIST_SP_800-53_R5 |
MA-3(1) |
NIST_SP_800-53_R5_MA-3(1) |
NIST SP 800-53 Rev. 5 MA-3 (1) |
Maintenance |
Inspect Tools |
Shared |
n/a |
Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications. |
link |
2 |
| NIST_SP_800-53_R5 |
MA-3(2) |
NIST_SP_800-53_R5_MA-3(2) |
NIST SP 800-53 Rev. 5 MA-3 (2) |
Maintenance |
Inspect Media |
Shared |
n/a |
Check media containing diagnostic and test programs for malicious code before the media are used in the system. |
link |
2 |
| NIST_SP_800-53_R5 |
MA-3(3) |
NIST_SP_800-53_R5_MA-3(3) |
NIST SP 800-53 Rev. 5 MA-3 (3) |
Maintenance |
Prevent Unauthorized Removal |
Shared |
n/a |
Prevent the removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. |
link |
4 |
| NIST_SP_800-53_R5 |
MA-4 |
NIST_SP_800-53_R5_MA-4 |
NIST SP 800-53 Rev. 5 MA-4 |
Maintenance |
Nonlocal Maintenance |
Shared |
n/a |
a. Approve and monitor nonlocal maintenance and diagnostic activities;
b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;
c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintain records for nonlocal maintenance and diagnostic activities; and
e. Terminate session and network connections when nonlocal maintenance is completed. |
link |
1 |
|
op.exp.4 Security maintenance and updates |
op.exp.4 Security maintenance and updates |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.5 Change management |
op.exp.5 Change management |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
op.exp.6 Protection against harmful code |
op.exp.6 Protection against harmful code |
404 not found |
|
|
|
n/a |
n/a |
|
68 |