Doc:NIST SP 800-53Ar1 FPD Appendix F/Enhanced/MA

Template:Doc:NIST SP 800-53r3 Appendix F/MA-1

Determine if: (i) the organization develops and formally documents system maintenance policy; (ii) the organization system maintenance policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented system maintenance policy to elements within the organization having associated system maintenance roles and responsibilities; (iv) the organization develops and formally documents system maintenance procedures; (v) the organization system maintenance procedures facilitate implementation of the system maintenance policy and associated system maintenance controls; and (vi) the organization disseminates formal documented system maintenance procedures to elements within the organization having associated system maintenance roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Determine if: (i) the organization defines the frequency of system maintenance policy reviews/updates; (ii) the organization reviews/updates system maintenance policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of system maintenance procedure reviews/updates; (iv) the organization reviews/updates system maintenance procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-2

Determine if: (i) the organization schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; (ii) the organization controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; (iii) the organization requires that a designated official explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; (iv) the organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; and (v) the organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; maintenance records; manufacturer/vendor maintenance specifications; equipment sanitization records; media sanitization records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-2/1

Determine if the organization maintains maintenance records for the information system that include: date and time of maintenance; name of the individual performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and a list of equipment removed or replaced (including identification numbers, if applicable).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; maintenance records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-2/2

Determine if: (i) the organization employs automated mechanisms to schedule, conduct, and document maintenance and repairs as required; and (ii) the organization employs automated mechanisms to product up-to-date, accurate, complete, and available records of all maintenance and repair actions needed, in process and complete.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing controlled maintenance for the information system; automated mechanisms supporting information system maintenance activities; information system configuration settings and associated documentation; maintenance records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-3

Determine if: (i) the organization approves, controls, and monitors the use of information system maintenance tools; and (ii) the organization maintains information system maintenance tools on an ongoing basis.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; maintenance records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-3/1

Determine if the organization inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modifications.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; maintenance records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-3/2

Determine if the organization checks all media containing diagnostic and test programs (e.g., software or firmware used for information system maintenance or diagnostics) for malicious code before the media are used in the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; information system media containing maintenance programs (including diagnostic and test programs); maintenance records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Test: [SELECT FROM: Media checking process for malicious code detection].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-3/3

Determine if the organization prevents the unauthorized removal of maintenance equipment by one of the following: verifying that there is no organizational information contained on the equipment; sanitizing or destroying the equipment; retaining the equipment within the facility; or obtaining an exemption from a designated organization official explicitly authorizing removal of the equipment from the facility.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; information system media containing maintenance programs (including diagnostic and test programs); maintenance records; equipment sanitization records; media sanitization records; exemptions for equipment removal; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-3/4

Determine if the organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; information system maintenance tools and associated documentation; procedures addressing information system maintenance tools; automated mechanisms supporting information system maintenance activities; information system design documentation; information system configuration settings and associated documentation; maintenance records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms supporting information system maintenance activities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4

Determine if: (i) the organization authorizes, monitors, and controls non-local maintenance and diagnostic activities; (ii) the organization documents, in the organizational policy and security plan for the information system, the acceptable conditions for allowing the use of non-local maintenance and diagnostic tools; (iii) the organization allows the use of non-local maintenance and diagnostic tools only as consistent with organizational policy and as documented in the security plan; (iv) the organization employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions; (v) the organization maintains records for non-local maintenance and diagnostic activities; and (vi) the organization (or information system in certain cases) terminates all sessions and network connections when non-local maintenance or diagnostics is completed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; security plan; information system design documentation; information system configuration settings and associated documentation; maintenance records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4/1

Determine if: (i) the organization audits non-local maintenance and diagnostic sessions; and (ii) designated organizational personnel review the maintenance records of the sessions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; maintenance records; audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4/2

Determine if the organization documents the installation and use of non-local maintenance and diagnostic connections in the security plan for the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; security plan; maintenance records; audit records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4/3

Determine if: (i) the organization requires and ensures non-local maintenance and diagnostic services from an information system that implements a level of security at least as high as the level of security implemented on the information system being serviced; or (ii) the organization removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities; and (iii) the organization after the removed component service is performed, inspects and sanitizes the component (with regard to potentially malicious software and surreptitious implants) before reconnecting to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; service provider contracts and/or service level agreements; maintenance records; audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities; information system maintenance provider].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4/4

Determine if: (i) the organization protects non-local maintenance sessions through the use of a strong authenticator tightly bound to the user; and (ii) the organization protects non-local maintenance sessions by separating the maintenance session from other network sessions with the information system by: either physically separated communications paths; or logically separated communications paths based upon encryption.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; information system design documentation; information system configuration settings and associated documentation; maintenance records; audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4/5

Determine if: (i) the organization defines the organizational personnel to be notified when non-local maintenance is planned; (ii) the organization requires that maintenance personnel notify organization-defined personnel when non-local maintenance is planned (i.e., date/time); and (iii) the organization requires that a designated organizational official with specific information security/information system knowledge approves the non-local maintenance.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; security plan; maintenance records; audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4/6

Determine if the organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; cryptographic mechanisms supporting information system maintenance activities; information system design documentation; information system configuration settings and associated documentation; maintenance records; audit records; other relevant documents or records].

Test: [SELECT FROM: Cryptographic mechanisms supporting information system maintenance activities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-4/7

Determine if the organization employs remote disconnect verification at the termination of non-local maintenance and diagnostic sessions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing non-local maintenance for the information system; information system design documentation; information system configuration settings and associated documentation; maintenance records; audit records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-5

Determine if: (i) the organization establishes a process for maintenance personnel authorization; (ii) the organization maintains a current list of authorized maintenance organizations or personnel; and (iii) personnel performing maintenance on the information system either have the required access authorizations or are supervised by designated organizational personnel with the required access authorizations and technical competence deemed necessary to supervise information system maintenance.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; service provider contracts and/or service level agreements; list of authorized personnel; maintenance records; access control records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-5/1

Determine if the organization maintains procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances, or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and in the event an information system component cannot be sanitized, the procedures contained in the security plan for the system are enforced.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; information system media protection policy; physical and environmental protection policy; security plan; list of maintenance personnel requiring escort/supervision; maintenance records; access control records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities; organizational personnel with personnel security responsibilities; organizational personnel with physical access control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-5/2

Determine if personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are cleared for the highest level of information on the system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; maintenance records; access control records; access authorizations; access credentials; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities; organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-5/3

Determine if personnel performing maintenance and diagnostic activities on the information system processing, storing, or transmitting classified information are U.S. citizens.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; maintenance records; access control records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities, organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-5/4

Determine if: (i) cleared foreign nationals are used to conduct maintenance and diagnostic activities on an information system only when the system is jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and (ii) the organization documents in a Memorandum of Agreement the approvals, consents, and detailed operational conditions under which foreign nationals are allowed to conduct maintenance and diagnostic activities on an information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing maintenance personnel; information system media protection policy; access control policy and procedures; physical and environmental protection policy and procedures; memorandum of agreement; maintenance records; access control records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities, organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MA-6

Determine if: (i) the organization defines security-critical information system components and/or key information technology components for which it will obtain maintenance support and/or spare parts; (ii) the organization defines the time period within which support and/or spare parts must be obtained after a failure; and (iii) the organization obtains maintenance support and/or spare parts for the organization-defined list of security-critical information system components and/or key information technology components within the organization-defined time period of failure.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system maintenance policy; procedures addressing timely maintenance for the information system; service provider contracts and/or service level agreements; inventory and availability of spare parts; security plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities].