Maintenance (MA)¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] maintenance policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the maintenance policy and procedures; and
• c. Review and update the current maintenance:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
• b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;
• c. Require that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;
• d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: [Assignment: organization-defined information];
• e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and
• f. Include the following information in organizational maintenance records: [Assignment: organization-defined information].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Schedule, conduct, and document maintenance, repair, and replacement actions for the system using [Assignment: organization-defined automated mechanisms]; and
• (b) Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Approve, control, and monitor the use of system maintenance tools; and
• b. Review previously approved system maintenance tools [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Check media containing diagnostic and test programs for malicious code before the media are used in the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prevent the removal of maintenance equipment containing organizational information by:

• (a) Verifying that there is no organizational information contained on the equipment;
• (b) Sanitizing or destroying the equipment;
• (c) Retaining the equipment within the facility; or
• (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Restrict the use of maintenance tools to authorized personnel only.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Monitor the use of maintenance tools that execute with increased privilege.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Inspect maintenance tools to ensure the latest software updates and patches are installed.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Approve and monitor nonlocal maintenance and diagnostic activities;
• b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;
• c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;
• d. Maintain records for nonlocal maintenance and diagnostic activities; and
• e. Terminate session and network connections when nonlocal maintenance is completed.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and
• (b) Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or
• (b) Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Protect nonlocal maintenance sessions by:

• (a) Employing [Assignment: organization-defined authenticators that are replay resistant]; and
• (b) Separating the maintenance sessions from other network sessions with the system by either:
  • (1) Physically separated communications paths; or
  • (2) Logically separated communications paths.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Require the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
• (b) Notify the following personnel or roles of the date and time of planned nonlocal maintenance: [Assignment: organization-defined personnel and roles].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: [Assignment: organization-defined cryptographic mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;
• b. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and
• c. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

External Link for Additional Information: myctrl.tools

• (a) Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
  • (1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and
  • (2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
• (b) Develop and implement [Assignment: organization-defined alternate controls] in the event a system component cannot be sanitized, removed, or disconnected from the system.

External Link for Additional Information: myctrl.tools

Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for compartments of information on the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Ensure that:

• (a) Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and
• (b) Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Obtain maintenance support and/or spare parts for [Assignment: organization-defined system components] within [Assignment: organization-defined time period] of failure.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Perform preventive maintenance on [Assignment: organization-defined system components] at [Assignment: organization-defined time intervals].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Perform predictive maintenance on [Assignment: organization-defined system components] at [Assignment: organization-defined time intervals].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Transfer predictive maintenance data to a maintenance management system using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Restrict or prohibit field maintenance on [Assignment: organization-defined systems or system components] to [Assignment: organization-defined trusted maintenance facilities].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools