MA-4: Nonlocal Maintenance
Control Family:
CSF v1.1 References:
PF v1.0 References:
Threats Addressed:
Next Version:
- NIST Special Publication 800-53 Revision 5:
- MA-4: Nonlocal Maintenance
Control Statement
The organization:
- Approves and monitors nonlocal maintenance and diagnostic activities;
- Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
- Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
- Maintains records for nonlocal maintenance and diagnostic activities; and
- Terminates session and network connections when nonlocal maintenance is completed.
Supplemental Guidance
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.
Control Enhancements
MA-4(1): Auditing And Review
Baseline(s):
The organization: Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and Reviews the records of the maintenance and diagnostic sessions.
MA-4(2): Document Nonlocal Maintenance
Baseline(s):
- Moderate
- High
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.
MA-4(3): Comparable Security / Sanitization
Baseline(s):
- High
The organization: Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational…
MA-4(4): Authentication / Separation Of Maintenance Sessions
Baseline(s):
The organization protects nonlocal maintenance sessions by: Employing [Assignment: organization-defined authenticators that are replay resistant]; and Separating the maintenance sessions from other network sessions with the information system by either: Physically separated communications paths; or Logically separated communications paths based upon encryption.
MA-4(5): Approvals And Notifications
Baseline(s):
The organization: Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance.
MA-4(6): Cryptographic Protection
Baseline(s):
The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
MA-4(7): Remote Disconnect Verification
Baseline(s):
The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.