Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/MA/Moderate

Template:Doc:NIST SP 800-53r3 Appendix F/MA-1

Determine if: (i) the organization develops and formally documents system maintenance policy; (ii) the organization system maintenance policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented system maintenance policy to elements within the organization having associated system maintenance roles and responsibilities; (iv) the organization develops and formally documents system maintenance procedures; (v) the organization system maintenance procedures facilitate implementation of the system maintenance policy and associated system maintenance controls; and (vi) the organization disseminates formal documented system maintenance procedures to elements within the organization having associated system maintenance roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Determine if: (i) the organization defines the frequency of system maintenance policy reviews/updates; (ii) the organization reviews/updates system maintenance policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of system maintenance procedure reviews/updates; (iv) the organization reviews/updates system maintenance procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-2

Determine if: (i) the organization schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; (ii) the organization controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; (iii) the organization requires that a designated official explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; (iv) the organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; and (v) the organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; maintenance records; manufacturer/vendor maintenance specifications; equipment sanitization records; media sanitization records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-2/1

Determine if the organization maintains maintenance records for the information system that include: date and time of maintenance; name of the individual performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and a list of equipment removed or replaced (including identification numbers, if applicable).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; maintenance records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-3

Determine if: (i) the organization approves, controls, and monitors the use of information system maintenance tools; and (ii) the organization maintains information system maintenance tools on an ongoing basis.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; maintenance records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-3/1

Determine if the organization inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modifications.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; maintenance records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-3/2

Determine if the organization checks all media containing diagnostic and test programs (e.g., software or firmware used for information system maintenance or diagnostics) for malicious code before the media are used in the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; information system media containing maintenance programs (including diagnostic and test programs); maintenance records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Test: [SELECT FROM: Media checking process for malicious code detection].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4

Determine if: (i) the organization authorizes, monitors, and controls non-local maintenance and diagnostic activities; (ii) the organization documents, in the organizational policy and security plan for the information system, the acceptable conditions for allowing the use of non-local maintenance and diagnostic tools; (iii) the organization allows the use of non-local maintenance and diagnostic tools only as consistent with organizational policy and as documented in the security plan; (iv) the organization employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions; (v) the organization maintains records for non-local maintenance and diagnostic activities; and (vi) the organization (or information system in certain cases) terminates all sessions and network connections when non-local maintenance or diagnostics is completed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; security plan; information system design documentation; information system configuration settings and associated documentation; maintenance records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4/1

Determine if: (i) the organization audits non-local maintenance and diagnostic sessions; and (ii) designated organizational personnel review the maintenance records of the sessions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; maintenance records; audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4/2

Determine if the organization documents the installation and use of non-local maintenance and diagnostic connections in the security plan for the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; security plan; maintenance records; audit records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-5

Determine if: (i) the organization establishes a process for maintenance personnel authorization; (ii) the organization maintains a current list of authorized maintenance organizations or personnel; and (iii) personnel performing maintenance on the information system either have the required access authorizations or are supervised by designated organizational personnel with the required access authorizations and technical competence deemed necessary to supervise information system maintenance.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; service provider contracts and/or service level agreements; list of authorized personnel; maintenance records; access control records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-6

Determine if: (i) the organization defines security-critical information system components and/or key information technology components for which it will obtain maintenance support and/or spare parts; (ii) the organization defines the time period within which support and/or spare parts must be obtained after a failure; and (iii) the organization obtains maintenance support and/or spare parts for the organization-defined list of security-critical information system components and/or key information technology components within the organization-defined time period of failure.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing timely maintenance for the information system; service provider contracts and/or service level agreements; inventory and availability of spare parts; security plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].