MA - Maintenance
- Controls Count: 9
- Controls IDs: MA-1, MA-2, MA-3, MA-3 (1), MA-3 (2), MA-3 (3), MA-4, MA-5, MA-6
Controls
MA-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level maintenance policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;
Designate an an official to manage the maintenance policy and procedures is defined; to manage the development, documentation, and dissemination of the maintenance policy and procedures; and
Review and update the current maintenance:
Policy the frequency with which the current maintenance policy is reviewed and updated is defined; and following events that would require the current maintenance policy to be reviewed and updated are defined; ; and
Procedures the frequency with which the current maintenance procedures are reviewed and updated is defined; and following events that would require the maintenance procedures to be reviewed and updated are defined;.
Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
a maintenance policy is developed and documented;
the maintenance policy is disseminated to personnel or roles to whom the maintenance policy is to be disseminated is/are defined;;
maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;
the maintenance procedures are disseminated to personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level maintenance policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level maintenance policy addresses scope;
the organization-level, mission/business process-level, and/or system-level maintenance policy addresses roles;
the organization-level, mission/business process-level, and/or system-level maintenance policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level maintenance policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level maintenance policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level maintenance policy addresses compliance;
the organization-level, mission/business process-level, and/or system-level maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the maintenance policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;
the current maintenance policy is reviewed and updated the frequency with which the current maintenance policy is reviewed and updated is defined;;
the current maintenance policy is reviewed and updated following events that would require the current maintenance policy to be reviewed and updated are defined;;
the current maintenance procedures are reviewed and updated the frequency with which the current maintenance procedures are reviewed and updated is defined;;
the current maintenance procedures are reviewed and updated following events that would require the maintenance procedures to be reviewed and updated are defined;.
Maintenance policy and procedures
system security plan
privacy plan
organizational risk management strategy
other relevant documents or records
Organizational personnel with maintenance responsibilities
organizational personnel with information security and privacy responsibilities
MA-2: Controlled Maintenance
Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;
Require that personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined; explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;
Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;;
Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and
Include the following information in organizational maintenance records: information to be included in organizational maintenance records is defined;.
Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems.
maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;
maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;
records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;
all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;
all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;
personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined; is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;
equipment is sanitized to remove information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined; from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;
all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;
information to be included in organizational maintenance records is defined; is included in organizational maintenance records.
Maintenance policy
procedures addressing controlled system maintenance
maintenance records
manufacturer/vendor maintenance specifications
equipment sanitization records
media sanitization records
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with information security responsibilities
organizational personnel responsible for media sanitization
system/network administrators
Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system
organizational processes for sanitizing system components
mechanisms supporting and/or implementing controlled maintenance
mechanisms implementing the sanitization of system components
MA-3: Maintenance Tools
Approve, control, and monitor the use of system maintenance tools; and
Review previously approved system maintenance tools frequency at which to review previously approved system maintenance tools is defined;.
Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.
the use of system maintenance tools is approved;
the use of system maintenance tools is controlled;
the use of system maintenance tools is monitored;
previously approved system maintenance tools are reviewed frequency at which to review previously approved system maintenance tools is defined;.
Maintenance policy
procedures addressing system maintenance tools
system maintenance tools and associated documentation
maintenance records
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with information security responsibilities
Organizational processes for approving, controlling, and monitoring maintenance tools
mechanisms supporting and/or implementing the approval, control, and/or monitoring of maintenance tools
MA-3 (1): Inspect Tools
Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.
Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.
maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.
Maintenance policy
procedures addressing system maintenance tools
system maintenance tools and associated documentation
maintenance tool inspection records
maintenance records
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with information security responsibilities
Organizational processes for inspecting maintenance tools
mechanisms supporting and/or implementing the inspection of maintenance tools
MA-3 (2): Inspect Media
Check media containing diagnostic and test programs for malicious code before the media are used in the system.
If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures.
media containing diagnostic and test programs are checked for malicious code before the media are used in the system.
Maintenance policy
procedures addressing system maintenance tools
system maintenance tools and associated documentation
maintenance records
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with information security responsibilities
Organizational process for inspecting media for malicious code
mechanisms supporting and/or implementing the inspection of media used for maintenance
MA-3 (3): Prevent Unauthorized Removal
Prevent the removal of maintenance equipment containing organizational information by:
Verifying that there is no organizational information contained on the equipment;
Sanitizing or destroying the equipment;
Retaining the equipment within the facility; or
Obtaining an exemption from personnel or roles who can authorize removal of equipment from the facility is/are defined; explicitly authorizing removal of the equipment from the facility.
Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.
the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or
the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or
the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or
the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from personnel or roles who can authorize removal of equipment from the facility is/are defined; explicitly authorizing removal of the equipment from the facility.
Maintenance policy
procedures addressing system maintenance tools
system maintenance tools and associated documentation
maintenance records
equipment sanitization records
media sanitization records
exemptions for equipment removal
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with information security responsibilities
organizational personnel responsible for media sanitization
Organizational process for preventing unauthorized removal of information
mechanisms supporting media sanitization or destruction of equipment
mechanisms supporting verification of media sanitization
MA-4: Nonlocal Maintenance
Approve and monitor nonlocal maintenance and diagnostic activities;
Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;
Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;
Maintain records for nonlocal maintenance and diagnostic activities; and
Terminate session and network connections when nonlocal maintenance is completed.
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2 . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.
nonlocal maintenance and diagnostic activities are approved;
nonlocal maintenance and diagnostic activities are monitored;
the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;
the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;
strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;
records for nonlocal maintenance and diagnostic activities are maintained;
session connections are terminated when nonlocal maintenance is completed;
network connections are terminated when nonlocal maintenance is completed.
Maintenance policy
procedures addressing nonlocal system maintenance
remote access policy
remote access procedures
system design documentation
system configuration settings and associated documentation
maintenance records
records of remote access
diagnostic records
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with information security responsibilities
system/network administrators
Organizational processes for managing nonlocal maintenance
mechanisms implementing, supporting, and/or managing nonlocal maintenance
mechanisms for strong authentication of nonlocal maintenance diagnostic sessions
mechanisms for terminating nonlocal maintenance sessions and network connections
MA-5: Maintenance Personnel
Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;
Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and
Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.
a process for maintenance personnel authorization is established;
a list of authorized maintenance organizations or personnel is maintained;
non-escorted personnel performing maintenance on the system possess the required access authorizations;
organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.
Maintenance policy
procedures addressing maintenance personnel
service provider contracts
service-level agreements
list of authorized personnel
maintenance records
access control records
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with information security responsibilities
Organizational processes for authorizing and managing maintenance personnel
mechanisms supporting and/or implementing authorization of maintenance personnel
MA-6: Timely Maintenance
Obtain maintenance support and/or spare parts for system components for which maintenance support and/or spare parts are obtained are defined; within time period within which maintenance support and/or spare parts are to be obtained after a failure are defined; of failure.
Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.
maintenance support and/or spare parts are obtained for system components for which maintenance support and/or spare parts are obtained are defined; within time period within which maintenance support and/or spare parts are to be obtained after a failure are defined; of failure.
Maintenance policy
procedures addressing system maintenance
service provider contracts
service-level agreements
inventory and availability of spare parts
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with acquisition responsibilities
organizational personnel with information security responsibilities
system/network administrators
Organizational processes for ensuring timely maintenance