last sync: 2024-Oct-11 17:51:27 UTC

Control maintenance and repair activities | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Control maintenance and repair activities
Id b6ad009f-5c24-1dc0-a25e-74b60e4da45f
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0080 - Control maintenance and repair activities
Additional metadata Name/Id: CMA_0080 / CMA_0080
Category: Operational
Title: Control maintenance and repair activities
Ownership: Customer
Description: Microsoft recommends that your organization schedule, perform, document, and review records of maintenance and repairs on information system components in accordance with vendor specifications and organizational requirements. It is recommended that your organization consider approving and monitoring all maintenance activities performed on site or remotely and control, monitor, and approve the maintenance tool. This will help your organization to decrease the risk of unintended disclosure of classified information and to protect the integrity of the equipment. It is recommended that your organization implement automated processes for performing and recording maintenance and repairs and for maintaining reliable and comprehensive records of all maintenance and repair activities. We recommend ensuring that maintenance tools have the latest patches and software updates by conducting regular inspections. Your organization may consider including maintenance-related information in organizational maintenance records for tracking and records purpose. Your organization is recommended to ensure that maintenance or repair activities are covered by cleared personnel or implement procedures for mitigating the risk in case an uncleared individual is to perform the activities. These procedures may include ensuring that the equipment and media are sanitized to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs and properly classified. It is also recommended that the individual is escorted by another individual who is cleared and knowledgeable of the equipment or product. Microsoft also recommends that your organization require approvals from authorized personnel during the removal of the information systems or system components for off-site maintenance, repairs, or disposal. This may also include ensuring that the physical transfer, processing, and storage requirements are appropriate for the classification of the product and the associated information. Your organization may also consider conducting inspections of the equipment upon return from off-site maintenance or repair activities to verify that the controls are still functioning properly after the maintenance or repair actions. It is recommended to conduct predictive maintenance on your organization's systems and to send the resulting data to a maintenance management system using automated mechanisms to trigger activities such as the planning, execution and reporting of maintenance. Your organization may be required to obtain approval from the relevant authority prior to conducting repairs on certain equipment. The New Zealand Information Security Manual requires organizations to obtain approval from the Government Communications Security Bureau (GCSB) for repairs on high assurance products or high-grade cryptographic equipment (HGCE) and to ensure that the maintenance and repairs are performed on-site by an appropriately cleared technician.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 43 compliance controls are associated with this Policy definition 'Control maintenance and repair activities' (b6ad009f-5c24-1dc0-a25e-74b60e4da45f)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 MA-2 FedRAMP_High_R4_MA-2 FedRAMP High MA-2 Maintenance Controlled Maintenance Shared n/a The organization: a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. Supplemental Guidance: This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. References: None. link 4
FedRAMP_High_R4 MA-3 FedRAMP_High_R4_MA-3 FedRAMP High MA-3 Maintenance Maintenance Tools Shared n/a The organization approves, controls, and monitors information system maintenance tools. Supplemental Guidance: This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6. References: NIST Special Publication 800-88. link 2
FedRAMP_High_R4 MA-3(1) FedRAMP_High_R4_MA-3(1) FedRAMP High MA-3 (1) Maintenance Inspect Tools Shared n/a The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. Supplemental Guidance: If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. Related control: SI-7. link 2
FedRAMP_High_R4 MA-3(2) FedRAMP_High_R4_MA-3(2) FedRAMP High MA-3 (2) Maintenance Inspect Media Shared n/a The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. Supplemental Guidance: If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. Related control: SI-3. link 2
FedRAMP_High_R4 MA-3(3) FedRAMP_High_R4_MA-3(3) FedRAMP High MA-3 (3) Maintenance Prevent Unauthorized Removal Shared n/a The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. Supplemental Guidance: Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards. link 4
FedRAMP_Moderate_R4 MA-2 FedRAMP_Moderate_R4_MA-2 FedRAMP Moderate MA-2 Maintenance Controlled Maintenance Shared n/a The organization: a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. Supplemental Guidance: This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. References: None. link 4
FedRAMP_Moderate_R4 MA-3 FedRAMP_Moderate_R4_MA-3 FedRAMP Moderate MA-3 Maintenance Maintenance Tools Shared n/a The organization approves, controls, and monitors information system maintenance tools. Supplemental Guidance: This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6. References: NIST Special Publication 800-88. link 2
FedRAMP_Moderate_R4 MA-3(1) FedRAMP_Moderate_R4_MA-3(1) FedRAMP Moderate MA-3 (1) Maintenance Inspect Tools Shared n/a The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. Supplemental Guidance: If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. Related control: SI-7. link 2
FedRAMP_Moderate_R4 MA-3(2) FedRAMP_Moderate_R4_MA-3(2) FedRAMP Moderate MA-3 (2) Maintenance Inspect Media Shared n/a The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. Supplemental Guidance: If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. Related control: SI-3. link 2
FedRAMP_Moderate_R4 MA-3(3) FedRAMP_Moderate_R4_MA-3(3) FedRAMP Moderate MA-3 (3) Maintenance Prevent Unauthorized Removal Shared n/a The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. Supplemental Guidance: Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards. link 4
hipaa 0301.09o1Organizational.123-09.o hipaa-0301.09o1Organizational.123-09.o 0301.09o1Organizational.123-09.o 03 Portable Media Security 0301.09o1Organizational.123-09.o 09.07 Media Handling Shared n/a The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media are used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. 14
hipaa 0305.09q1Organizational.12-09.q hipaa-0305.09q1Organizational.12-09.q 0305.09q1Organizational.12-09.q 03 Portable Media Security 0305.09q1Organizational.12-09.q 09.07 Media Handling Shared n/a Media is labeled, encrypted, and handled according to its classification. 7
hipaa 0408.01y3Organizational.12-01.y hipaa-0408.01y3Organizational.12-01.y 0408.01y3Organizational.12-01.y 04 Mobile Device Security 0408.01y3Organizational.12-01.y 01.07 Mobile Computing and Teleworking Shared n/a Prior to authorizing teleworking, (i) the organization provides a definition of the work permitted, standard operating hours, classification of information that may be held/stored, and the internal systems and services that the teleworker is authorized to access; (ii) suitable equipment and storage furniture for the teleworking activities, where the use of privately owned equipment not under the control of the organization is forbidden; (iii) suitable communications equipment, including methods for securing remote access; (iv) rules and guidance on family and visitor access to equipment and information; (v) hardware and software support and maintenance; (vi) procedures for back-up and business continuity; (vii) a means for teleworkers to communicate with information security personnel in case of security incidents or problems; and, (viii) audit and security monitoring. 5
hipaa 0415.01y1Organizational.10-01.y hipaa-0415.01y1Organizational.10-01.y 0415.01y1Organizational.10-01.y 04 Mobile Device Security 0415.01y1Organizational.10-01.y 01.07 Mobile Computing and Teleworking Shared n/a Suitable protections of the teleworking site are in place to protect against the theft of equipment and information, the unauthorized disclosure of information, and unauthorized remote access to the organization's internal systems or misuse of facilities. 5
hipaa 0416.01y3Organizational.4-01.y hipaa-0416.01y3Organizational.4-01.y 0416.01y3Organizational.4-01.y 04 Mobile Device Security 0416.01y3Organizational.4-01.y 01.07 Mobile Computing and Teleworking Shared n/a The organization instructs all personnel working from home to implement fundamental security controls and practices; including, but not limited to, passwords, virus protection, personal firewalls, laptop cable locks, recording serial numbers and other identification information about laptops, and disconnecting modems at alternate worksites. 4
hipaa 1803.08b1Organizational.5-08.b hipaa-1803.08b1Organizational.5-08.b 1803.08b1Organizational.5-08.b 18 Physical & Environmental Security 1803.08b1Organizational.5-08.b 08.01 Secure Areas Shared n/a Repairs or modifications to the physical components of a facility which are related to security (e.g., hardware, walls, doors and locks) are documented and retained in accordance with the organization's retention policy. 3
hipaa 18110.08j1Organizational.5-08.j hipaa-18110.08j1Organizational.5-08.j 18110.08j1Organizational.5-08.j 18 Physical & Environmental Security 18110.08j1Organizational.5-08.j 08.02 Equipment Security Shared n/a The organization monitors and controls non-local maintenance and diagnostic activities; and prohibits non-local system maintenance unless explicitly authorized, in writing, by the CIO or his/her designated representative. 4
hipaa 1819.08j1Organizational.23-08.j hipaa-1819.08j1Organizational.23-08.j 1819.08j1Organizational.23-08.j 18 Physical & Environmental Security 1819.08j1Organizational.23-08.j 08.02 Equipment Security Shared n/a Maintenance and service are controlled and conducted by authorized personnel in accordance with supplier-recommended intervals, insurance policies and the organization’s maintenance program, taking into account whether this maintenance is performed by personnel on site or external to the organization. 7
hipaa 1820.08j2Organizational.1-08.j hipaa-1820.08j2Organizational.1-08.j 1820.08j2Organizational.1-08.j 18 Physical & Environmental Security 1820.08j2Organizational.1-08.j 08.02 Equipment Security Shared n/a Covered information is cleared from equipment prior to maintenance unless explicitly authorized. 2
hipaa 1821.08j2Organizational.3-08.j hipaa-1821.08j2Organizational.3-08.j 1821.08j2Organizational.3-08.j 18 Physical & Environmental Security 1821.08j2Organizational.3-08.j 08.02 Equipment Security Shared n/a Following maintenance, security controls are checked and verified. 4
hipaa 1822.08j2Organizational.2-08.j hipaa-1822.08j2Organizational.2-08.j 1822.08j2Organizational.2-08.j 18 Physical & Environmental Security 1822.08j2Organizational.2-08.j 08.02 Equipment Security Shared n/a Records of maintenance are maintained. 4
hipaa 1823.08j3Organizational.12-08.j hipaa-1823.08j3Organizational.12-08.j 1823.08j3Organizational.12-08.j 18 Physical & Environmental Security 1823.08j3Organizational.12-08.j 08.02 Equipment Security Shared n/a Tools for maintenance are approved, controlled, monitored and periodically checked. 2
hipaa 1824.08j3Organizational.3-08.j hipaa-1824.08j3Organizational.3-08.j 1824.08j3Organizational.3-08.j 18 Physical & Environmental Security 1824.08j3Organizational.3-08.j 08.02 Equipment Security Shared n/a Media containing diagnostic and test programs are checked for malicious code prior to use. 2
ISO27001-2013 A.11.2.4 ISO27001-2013_A.11.2.4 ISO 27001:2013 A.11.2.4 Physical And Environmental Security Equipment maintenance Shared n/a Equipment shall be correctly maintained to ensure its continued availability and integrity. link 9
ISO27001-2013 A.11.2.5 ISO27001-2013_A.11.2.5 ISO 27001:2013 A.11.2.5 Physical And Environmental Security Removal of assets Shared n/a Equipment, information or software shall not be taken off-site without prior authorization. link 6
ISO27001-2013 A.12.2.1 ISO27001-2013_A.12.2.1 ISO 27001:2013 A.12.2.1 Operations Security Controls against malware Shared n/a Detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. link 12
mp.info.6 Backups mp.info.6 Backups 404 not found n/a n/a 65
mp.si.3 Custody mp.si.3 Custody 404 not found n/a n/a 27
NIST_SP_800-171_R2_3 .7.1 NIST_SP_800-171_R2_3.7.1 NIST SP 800-171 R2 3.7.1 Maintenance Perform maintenance on organizational systems.[26]. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers. [26] In general, system maintenance requirements tend to support the security objective of availability. However, improper system maintenance or a failure to perform maintenance can result in the unauthorized disclosure of CUI, thus compromising confidentiality of that information. link 1
NIST_SP_800-171_R2_3 .7.2 NIST_SP_800-171_R2_3.7.2 NIST SP 800-171 R2 3.7.2 Maintenance Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers. link 4
NIST_SP_800-171_R2_3 .7.4 NIST_SP_800-171_R2_3.7.4 NIST SP 800-171 R2 3.7.4 Maintenance Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures. link 2
NIST_SP_800-53_R4 MA-2 NIST_SP_800-53_R4_MA-2 NIST SP 800-53 Rev. 4 MA-2 Maintenance Controlled Maintenance Shared n/a The organization: a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. Supplemental Guidance: This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. References: None. link 4
NIST_SP_800-53_R4 MA-3 NIST_SP_800-53_R4_MA-3 NIST SP 800-53 Rev. 4 MA-3 Maintenance Maintenance Tools Shared n/a The organization approves, controls, and monitors information system maintenance tools. Supplemental Guidance: This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6. References: NIST Special Publication 800-88. link 2
NIST_SP_800-53_R4 MA-3(1) NIST_SP_800-53_R4_MA-3(1) NIST SP 800-53 Rev. 4 MA-3 (1) Maintenance Inspect Tools Shared n/a The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. Supplemental Guidance: If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. Related control: SI-7. link 2
NIST_SP_800-53_R4 MA-3(2) NIST_SP_800-53_R4_MA-3(2) NIST SP 800-53 Rev. 4 MA-3 (2) Maintenance Inspect Media Shared n/a The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. Supplemental Guidance: If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. Related control: SI-3. link 2
NIST_SP_800-53_R4 MA-3(3) NIST_SP_800-53_R4_MA-3(3) NIST SP 800-53 Rev. 4 MA-3 (3) Maintenance Prevent Unauthorized Removal Shared n/a The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. Supplemental Guidance: Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards. link 4
NIST_SP_800-53_R5 MA-2 NIST_SP_800-53_R5_MA-2 NIST SP 800-53 Rev. 5 MA-2 Maintenance Controlled Maintenance Shared n/a a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; c. Require that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: [Assignment: organization-defined information]; e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and f. Include the following information in organizational maintenance records: [Assignment: organization-defined information]. link 4
NIST_SP_800-53_R5 MA-3 NIST_SP_800-53_R5_MA-3 NIST SP 800-53 Rev. 5 MA-3 Maintenance Maintenance Tools Shared n/a a. Approve, control, and monitor the use of system maintenance tools; and b. Review previously approved system maintenance tools [Assignment: organization-defined frequency]. link 2
NIST_SP_800-53_R5 MA-3(1) NIST_SP_800-53_R5_MA-3(1) NIST SP 800-53 Rev. 5 MA-3 (1) Maintenance Inspect Tools Shared n/a Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications. link 2
NIST_SP_800-53_R5 MA-3(2) NIST_SP_800-53_R5_MA-3(2) NIST SP 800-53 Rev. 5 MA-3 (2) Maintenance Inspect Media Shared n/a Check media containing diagnostic and test programs for malicious code before the media are used in the system. link 2
NIST_SP_800-53_R5 MA-3(3) NIST_SP_800-53_R5_MA-3(3) NIST SP 800-53 Rev. 5 MA-3 (3) Maintenance Prevent Unauthorized Removal Shared n/a Prevent the removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. link 4
op.exp.4 Security maintenance and updates op.exp.4 Security maintenance and updates 404 not found n/a n/a 78
op.exp.6 Protection against harmful code op.exp.6 Protection against harmful code 404 not found n/a n/a 63
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add b6ad009f-5c24-1dc0-a25e-74b60e4da45f
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC