[csf.tools Note: Subcategories do not have detailed descriptions.]
NIST Special Publication 800-53 Revision 5
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] maintenance policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of…
Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; Require that [Assignment: organization-defined…
Approve, control, and monitor the use of system maintenance tools; and Review previously approved system maintenance tools [Assignment: organization-defined frequency].
Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required…
Obtain maintenance support and/or spare parts for [Assignment: organization-defined system components] within [Assignment: organization-defined time period] of failure.
NIST Special Publication 800-171 Revision 2
This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers,…
This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use…
This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). [SP 800-88] provides guidance on media sanitization.
If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures.
This requirement applies to individuals who are performing hardware or software maintenance on organizational systems, while 3.10.1 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers,…
Cloud Controls Matrix v4.0
Restrict the unauthorized addition, removal, update, and management of organization assets.
Implement detection measures with proactive notification in case of changes deviating from the established baseline.
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable authorization. Review and update the policies and procedures at least annually.
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for logging and monitoring. Review and update the policies and procedures at least annually.
NIST Special Publication 800-53 Revision 4
The organization: Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; Requires that [Assignment: organization-defined…
The organization approves, controls, and monitors information system maintenance tools.
The organization: Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel; Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess…
The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.
Cloud Controls Matrix v3.0.1
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for equipment maintenance ensuring continuity and availability of operations and support personnel.
User access to diagnostic and configuration ports shall be restricted to authorized individuals and applications.
Utility programs capable of potentially overriding system, object, network, virtual machine, and application controls shall be restricted.
Critical Security Controls Version 7.1
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.