PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
PF v1.0 References:
Threats Addressed:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
MA-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] maintenance policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of…
MA-2: Controlled Maintenance
Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; Require that [Assignment: organization-defined…
MA-3: Maintenance Tools
Approve, control, and monitor the use of system maintenance tools; and Review previously approved system maintenance tools [Assignment: organization-defined frequency].
MA-5: Maintenance Personnel
Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required…
MA-6: Timely Maintenance
Obtain maintenance support and/or spare parts for [Assignment: organization-defined system components] within [Assignment: organization-defined time period] of failure.
NIST Special Publication 800-171 Revision 2
3.7.1: Perform maintenance on organizational systems
This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers,…
3.7.2: Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance
This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use…
3.7.3: Ensure equipment removed for off-site maintenance is sanitized of any CUI
This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). [SP 800-88] provides guidance on media sanitization.
3.7.4: Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems
If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures.
3.7.6: Supervise the maintenance activities of maintenance personnel without required access authorization
This requirement applies to individuals who are performing hardware or software maintenance on organizational systems, while 3.10.1 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers,…
Cloud Controls Matrix v3.0.1
BCR-07: Equipment Maintenance
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for equipment maintenance ensuring continuity and availability of operations and support personnel.
IAM-03: Diagnostic / Configuration Ports Access
User access to diagnostic and configuration ports shall be restricted to authorized individuals and applications.
IAM-13: Utility Programs Access
Utility programs capable of potentially overriding system, object, network, virtual machine, and application controls shall be restricted.
NIST Special Publication 800-53 Revision 4
MA-2: Controlled Maintenance
The organization: Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; Requires that [Assignment: organization-defined…
MA-3: Maintenance Tools
The organization approves, controls, and monitors information system maintenance tools.
MA-5: Maintenance Personnel
The organization: Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel; Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess…
MA-6: Timely Maintenance
The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.
Critical Security Controls Version 7.1
4: Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.