MA-4: Nonlocal Maintenance

Control Family:

Maintenance

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:

Baselines:

  • Low
    • MA-4
  • Moderate
    • MA-4
  • High
  • Privacy

    N/A

Previous Version:

Info icon.

Incorporates the following control from the previous version: MA-4(2): Document Nonlocal Maintenance.

Control Statement

  1. Approve and monitor nonlocal maintenance and diagnostic activities;
  2. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;
  3. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;
  4. Maintain records for nonlocal maintenance and diagnostic activities; and
  5. Terminate session and network connections when nonlocal maintenance is completed.

Supplemental Guidance

Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.

Control Enhancements

MA-4(1): Logging and Review

Baseline(s):

(Not part of any baseline)

Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.

MA-4(3): Comparable Security and Sanitization

Baseline(s):

  • High

Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is…

MA-4(4): Authentication and Separation of Maintenance Sessions

Baseline(s):

(Not part of any baseline)

Protect nonlocal maintenance sessions by: Employing [Assignment: organization-defined authenticators that are replay resistant]; and Separating the maintenance sessions from other network sessions with the system by either: Physically separated communications paths; or Logically separated communications paths.

MA-4(5): Approvals and Notifications

Baseline(s):

(Not part of any baseline)

Require the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and Notify the following personnel or roles of the date and time of planned nonlocal maintenance: [Assignment: organization-defined personnel or roles].

MA-4(6): Cryptographic Protection

Baseline(s):

(Not part of any baseline)

Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: [Assignment: organization-defined cryptographic mechanisms].

MA-4(7): Disconnect Verification

Baseline(s):

(Not part of any baseline)

Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions.