Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/MA/Low

Template:Doc:NIST SP 800-53r3 Appendix F/MA-1

Determine if: (i) the organization develops and formally documents system maintenance policy; (ii) the organization system maintenance policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented system maintenance policy to elements within the organization having associated system maintenance roles and responsibilities; (iv) the organization develops and formally documents system maintenance procedures; (v) the organization system maintenance procedures facilitate implementation of the system maintenance policy and associated system maintenance controls; and (vi) the organization disseminates formal documented system maintenance procedures to elements within the organization having associated system maintenance roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Determine if: (i) the organization defines the frequency of system maintenance policy reviews/updates; (ii) the organization reviews/updates system maintenance policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of system maintenance procedure reviews/updates; (iv) the organization reviews/updates system maintenance procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-2

Determine if: (i) the organization schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; (ii) the organization controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; (iii) the organization requires that a designated official explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; (iv) the organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; and (v) the organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; maintenance records; manufacturer/vendor maintenance specifications; equipment sanitization records; media sanitization records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4

Determine if: (i) the organization authorizes, monitors, and controls non-local maintenance and diagnostic activities; (ii) the organization documents, in the organizational policy and security plan for the information system, the acceptable conditions for allowing the use of non-local maintenance and diagnostic tools; (iii) the organization allows the use of non-local maintenance and diagnostic tools only as consistent with organizational policy and as documented in the security plan; (iv) the organization employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions; (v) the organization maintains records for non-local maintenance and diagnostic activities; and (vi) the organization (or information system in certain cases) terminates all sessions and network connections when non-local maintenance or diagnostics is completed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; security plan; information system design documentation; information system configuration settings and associated documentation; maintenance records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-5

Determine if: (i) the organization establishes a process for maintenance personnel authorization; (ii) the organization maintains a current list of authorized maintenance organizations or personnel; and (iii) personnel performing maintenance on the information system either have the required access authorizations or are supervised by designated organizational personnel with the required access authorizations and technical competence deemed necessary to supervise information system maintenance.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; service provider contracts and/or service level agreements; list of authorized personnel; maintenance records; access control records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].