MA - Maintenance
- Controls Count: 5
- Controls IDs: MA-3, MA-3 (1), MA-3 (2), MA-3 (3), MA-6
Controls
MA-3: Maintenance Tools
Approve, control, and monitor the use of system maintenance tools; and
Review previously approved system maintenance tools frequency at which to review previously approved system maintenance tools is defined;.
Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.
the use of system maintenance tools is approved;
the use of system maintenance tools is controlled;
the use of system maintenance tools is monitored;
previously approved system maintenance tools are reviewed frequency at which to review previously approved system maintenance tools is defined;.
Maintenance policy
procedures addressing system maintenance tools
system maintenance tools and associated documentation
maintenance records
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with information security responsibilities
Organizational processes for approving, controlling, and monitoring maintenance tools
mechanisms supporting and/or implementing the approval, control, and/or monitoring of maintenance tools
MA-3 (1): Inspect Tools
Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.
Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.
maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.
Maintenance policy
procedures addressing system maintenance tools
system maintenance tools and associated documentation
maintenance tool inspection records
maintenance records
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with information security responsibilities
Organizational processes for inspecting maintenance tools
mechanisms supporting and/or implementing the inspection of maintenance tools
MA-3 (2): Inspect Media
Check media containing diagnostic and test programs for malicious code before the media are used in the system.
If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures.
media containing diagnostic and test programs are checked for malicious code before the media are used in the system.
Maintenance policy
procedures addressing system maintenance tools
system maintenance tools and associated documentation
maintenance records
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with information security responsibilities
Organizational process for inspecting media for malicious code
mechanisms supporting and/or implementing the inspection of media used for maintenance
MA-3 (3): Prevent Unauthorized Removal
Prevent the removal of maintenance equipment containing organizational information by:
Verifying that there is no organizational information contained on the equipment;
Sanitizing or destroying the equipment;
Retaining the equipment within the facility; or
Obtaining an exemption from personnel or roles who can authorize removal of equipment from the facility is/are defined; explicitly authorizing removal of the equipment from the facility.
Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.
the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or
the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or
the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or
the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from personnel or roles who can authorize removal of equipment from the facility is/are defined; explicitly authorizing removal of the equipment from the facility.
Maintenance policy
procedures addressing system maintenance tools
system maintenance tools and associated documentation
maintenance records
equipment sanitization records
media sanitization records
exemptions for equipment removal
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with information security responsibilities
organizational personnel responsible for media sanitization
Organizational process for preventing unauthorized removal of information
mechanisms supporting media sanitization or destruction of equipment
mechanisms supporting verification of media sanitization
MA-6: Timely Maintenance
Obtain maintenance support and/or spare parts for system components for which maintenance support and/or spare parts are obtained are defined; within time period within which maintenance support and/or spare parts are to be obtained after a failure are defined; of failure.
Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.
maintenance support and/or spare parts are obtained for system components for which maintenance support and/or spare parts are obtained are defined; within time period within which maintenance support and/or spare parts are to be obtained after a failure are defined; of failure.
Maintenance policy
procedures addressing system maintenance
service provider contracts
service-level agreements
inventory and availability of spare parts
system security plan
other relevant documents or records
Organizational personnel with system maintenance responsibilities
organizational personnel with acquisition responsibilities
organizational personnel with information security responsibilities
system/network administrators
Organizational processes for ensuring timely maintenance