MA - Maintenance

  • Controls Count: 3
  • Controls IDs: MA-2 (2), MA-4 (3), MA-5 (1)

Controls

MA-2 (2): Automated Maintenance Activities

Schedule, conduct, and document maintenance, repair, and replacement actions for the system using organization-defined automated mechanisms ; and

Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed.

The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records.

automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined; are used to schedule maintenance, repair, and replacement actions for the system;

automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined; are used to conduct maintenance, repair, and replacement actions for the system;

automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined; are used to document maintenance, repair, and replacement actions for the system;

up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.

up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.

up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.

Maintenance policy

procedures addressing controlled system maintenance

automated mechanisms supporting system maintenance activities

system configuration settings and associated documentation

maintenance records

system security plan

other relevant documents or records

Organizational personnel with system maintenance responsibilities

organizational personnel with information security responsibilities

system/network administrators

Automated mechanisms supporting and/or implementing controlled maintenance

automated mechanisms supporting and/or implementing the production of records of maintenance and repair actions

MA-4 (3): Comparable Security and Sanitization

Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or

Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system.

Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced.

nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;

nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or

the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;

the component to be serviced is sanitized (for organizational information);

the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.

Maintenance policy

procedures addressing nonlocal system maintenance

service provider contracts and/or service-level agreements

maintenance records

inspection records

audit records

equipment sanitization records

media sanitization records

system security plan

other relevant documents or records

Organizational personnel with system maintenance responsibilities

system maintenance provider

organizational personnel with information security responsibilities

organizational personnel responsible for media sanitization

system/network administrators

Organizational processes for comparable security and sanitization for nonlocal maintenance

organizational processes for the removal, sanitization, and inspection of components serviced via nonlocal maintenance

mechanisms supporting and/or implementing component sanitization and inspection

MA-5 (1): Individuals Without Appropriate Access

Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and

Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and

Develop and implement alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined; in the event a system component cannot be sanitized, removed, or disconnected from the system.

Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems.

procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;

procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;

alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined; are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.

Maintenance policy

procedures addressing maintenance personnel

system media protection policy

physical and environmental protection policy

list of maintenance personnel requiring escort/supervision

maintenance records

access control records

system security plan

other relevant documents or records

Organizational personnel with system maintenance responsibilities

organizational personnel with personnel security responsibilities

organizational personnel with physical access control responsibilities

organizational personnel with information security responsibilities

organizational personnel responsible for media sanitization

system/network administrators

Organizational processes for managing maintenance personnel without appropriate access

mechanisms supporting and/or implementing alternative security safeguards

mechanisms supporting and/or implementing information storage component sanitization