Maintenance

Estimated reading time: 8 minutes

MA-1 System Maintenance Policy And Procedures

Description

The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
  2. Reviews and updates the current:
    1. System maintenance policy [Assignment: organization-defined frequency]; and
    2. System maintenance procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

MA-2 Controlled Maintenance

Description

The organization:

  1. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
  2. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
  3. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
  4. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
  5. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
  6. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.

Control Information

Responsible role(s) - Organization

MA-2 (2) Automated Maintenance Activities

Description

The organization:

  1. Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
  2. Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed.

Control Information

Responsible role(s) - Organization

MA-3 Maintenance Tools

Description

The organization approves, controls, and monitors information system maintenance tools.

Control Information

Responsible role(s) - Organization

MA-3 (1) Inspect Tools

Description

The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

Control Information

Responsible role(s) - Organization

MA-3 (2) Inspect Media

Description

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

Control Information

Responsible role(s) - Organization

MA-3 (3) Prevent Unauthorized Removal

Description

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

  1. Verifying that there is no organizational information contained on the equipment;
  2. Sanitizing or destroying the equipment;
  3. Retaining the equipment within the facility; or
  4. Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.

Control Information

Responsible role(s) - Organization

MA-3 (4) Restricted Tool Use

Description

The information system restricts the use of maintenance tools to authorized personnel only.

Control Information

Responsible role(s) - Organization

MA-4 Nonlocal Maintenance

Description

The organization:

  1. Approves and monitors nonlocal maintenance and diagnostic activities;
  2. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
  3. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
  4. Maintains records for nonlocal maintenance and diagnostic activities; and
  5. Terminates session and network connections when nonlocal maintenance is completed.

Control Information

Responsible role(s) - Organization

MA-4 (1) Auditing And Review

Description

The organization:

  1. Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and
  2. Reviews the records of the maintenance and diagnostic sessions.

Control Information

Responsible role(s) - Organization

MA-4 (2) Document Nonlocal Maintenance

Description

The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.

Control Information

Responsible role(s) - Organization

MA-4 (3) Comparable Security / Sanitization

Description

The organization:

  1. Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
  2. Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.

Control Information

Responsible role(s) - Organization

MA-4 (4) Authentication / Separation Of Maintenance Sessions

Description

The organization protects nonlocal maintenance sessions by:

  1. Employing [Assignment: organization-defined authenticators that are replay resistant]; and
  2. Separating the maintenance sessions from other network sessions with the information system by either:
    1. Physically separated communications paths; or
    2. Logically separated communications paths based upon encryption.

Control Information

Responsible role(s) - Organization

MA-4 (5) Approvals And Notifications

Description

The organization:

  1. Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
  2. Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance.

Control Information

Responsible role(s) - Organization

MA-4 (6) Cryptographic Protection

Description

The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.

Control Information

Responsible role(s) - Organization

MA-4 (7) Remote Disconnect Verification

Description

The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.

Control Information

Responsible role(s) - Organization

MA-5 Maintenance Personnel

Description

The organization:

  1. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
  2. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
  3. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

Control Information

Responsible role(s) - Organization

MA-5 (1) Individuals Without Appropriate Access

Description

The organization:

  1. Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
    1. Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
    2. Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
  2. Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.

Control Information

Responsible role(s) - Organization

MA-5 (2) Security Clearances For Classified Systems

Description

The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system.

Control Information

Responsible role(s) - Organization

MA-5 (3) Citizenship Requirements For Classified Systems

Description

The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens.

Control Information

Responsible role(s) - Organization

MA-5 (4) Foreign Nationals

Description

The organization ensures that:

  1. Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and
  2. Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements.

Control Information

Responsible role(s) - Organization

Description

The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations.

Control Information

Responsible role(s) - Organization

MA-6 Timely Maintenance

Description

The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.

Control Information

Responsible role(s) - Organization

MA-6 (1) Preventive Maintenance

Description

The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals].

Control Information

Responsible role(s) - Organization

MA-6 (2) Predictive Maintenance

Description

The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals].

Control Information

Responsible role(s) - Organization

MA-6 (3) Automated Support For Predictive Maintenance

Description

The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system.

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, Maintenance