Maintenance
Estimated reading time: 8 minutesMA-1 System Maintenance Policy And Procedures
Description
The organization:
- Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
- Reviews and updates the current:
- System maintenance policy [Assignment: organization-defined frequency]; and
- System maintenance procedures [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
MA-2 Controlled Maintenance
Description
The organization:
- Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
- Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
- Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
- Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
- Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
- Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.
Control Information
Responsible role(s) - Organization
MA-2 (2) Automated Maintenance Activities
Description
The organization:
- Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
- Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed.
Control Information
Responsible role(s) - Organization
MA-3 Maintenance Tools
Description
The organization approves, controls, and monitors information system maintenance tools.
Control Information
Responsible role(s) - Organization
MA-3 (1) Inspect Tools
Description
The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Control Information
Responsible role(s) - Organization
MA-3 (2) Inspect Media
Description
The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.
Control Information
Responsible role(s) - Organization
MA-3 (3) Prevent Unauthorized Removal
Description
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
- Verifying that there is no organizational information contained on the equipment;
- Sanitizing or destroying the equipment;
- Retaining the equipment within the facility; or
- Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.
Control Information
Responsible role(s) - Organization
MA-3 (4) Restricted Tool Use
Description
The information system restricts the use of maintenance tools to authorized personnel only.
Control Information
Responsible role(s) - Organization
MA-4 Nonlocal Maintenance
Description
The organization:
- Approves and monitors nonlocal maintenance and diagnostic activities;
- Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
- Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
- Maintains records for nonlocal maintenance and diagnostic activities; and
- Terminates session and network connections when nonlocal maintenance is completed.
Control Information
Responsible role(s) - Organization
MA-4 (1) Auditing And Review
Description
The organization:
- Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and
- Reviews the records of the maintenance and diagnostic sessions.
Control Information
Responsible role(s) - Organization
MA-4 (2) Document Nonlocal Maintenance
Description
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.
Control Information
Responsible role(s) - Organization
MA-4 (3) Comparable Security / Sanitization
Description
The organization:
- Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
- Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.
Control Information
Responsible role(s) - Organization
MA-4 (4) Authentication / Separation Of Maintenance Sessions
Description
The organization protects nonlocal maintenance sessions by:
- Employing [Assignment: organization-defined authenticators that are replay resistant]; and
- Separating the maintenance sessions from other network sessions with the information system by either:
- Physically separated communications paths; or
- Logically separated communications paths based upon encryption.
Control Information
Responsible role(s) - Organization
MA-4 (5) Approvals And Notifications
Description
The organization:
- Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
- Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance.
Control Information
Responsible role(s) - Organization
MA-4 (6) Cryptographic Protection
Description
The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
Control Information
Responsible role(s) - Organization
MA-4 (7) Remote Disconnect Verification
Description
The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.
Control Information
Responsible role(s) - Organization
MA-5 Maintenance Personnel
Description
The organization:
- Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
- Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
- Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
Control Information
Responsible role(s) - Organization
MA-5 (1) Individuals Without Appropriate Access
Description
The organization:
- Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
- Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
- Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
- Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.
Control Information
Responsible role(s) - Organization
MA-5 (2) Security Clearances For Classified Systems
Description
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system.
Control Information
Responsible role(s) - Organization
MA-5 (3) Citizenship Requirements For Classified Systems
Description
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens.
Control Information
Responsible role(s) - Organization
MA-5 (4) Foreign Nationals
Description
The organization ensures that:
- Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and
- Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements.
Control Information
Responsible role(s) - Organization
MA-5 (5) Nonsystem-Related Maintenance
Description
The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations.
Control Information
Responsible role(s) - Organization
MA-6 Timely Maintenance
Description
The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.
Control Information
Responsible role(s) - Organization
MA-6 (1) Preventive Maintenance
Description
The organization performs preventive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals].
Control Information
Responsible role(s) - Organization
MA-6 (2) Predictive Maintenance
Description
The organization performs predictive maintenance on [Assignment: organization-defined information system components] at [Assignment: organization-defined time intervals].
Control Information
Responsible role(s) - Organization
MA-6 (3) Automated Support For Predictive Maintenance
Description
The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system.
Control Information
Responsible role(s) - Organization