Control: The organization approves, controls, and monitors information system maintenance tools.
Supplemental Guidance: This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6.
Control Enhancements:
maintenance tools | inspect tools
The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Supplemental Guidance: If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. Related control: SI-7.
maintenance tools | inspect media
The organization checks media containing diagnostic and test programsfor malicious code before the media are used in the information system.
Supplemental Guidance: If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. Related control: SI-3.
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
Verifying that there is no organizational information contained on the equipment;
Sanitizing or destroying the equipment;
Retaining the equipment within the facility; or
Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.
Supplemental Guidance: Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards.
maintenance tools | restricted tool use
The information system restricts the use of maintenance tools to authorized personnel only.
Supplemental Guidance: This control enhancement applies to information systems that are used to carry out maintenance functions. Related controls: AC-2, AC-3, AC-5, AC-6.
Approves and monitors nonlocal maintenance and diagnostic activities;
Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
Maintains records for nonlocal maintenance and diagnostic activities; and
Terminates session and network connections when nonlocal maintenance is completed.
Supplemental Guidance: Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17.
Control Enhancements:
nonlocal maintenance | auditing and review
The organization:
Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and
Reviews the records of the maintenance and diagnostic sessions.
Supplemental Guidance: Related controls: AU-2, AU-6, AU-12.
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.
Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.
Supplemental Guidance: Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. Related controls: MA-3, SA-12, SI-3, SI-7.
nonlocal maintenance | authentication / separation of maintenance sessions
The organization protects nonlocal maintenance sessions by:
Employing [Assignment: organization-defined authenticators that are replay resistant]; and
Separating the maintenance sessions from other network sessions with the information system by either:
Physically separated communications paths; or
Logically separated communications paths based upon encryption.
Supplemental Guidance: Related control: SC-13.
nonlocal maintenance | approvals and notifications
The organization:
Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance.
Supplemental Guidance: Notification may be performed by maintenance personnel. Approval of nonlocal maintenance sessions is accomplished by organizational personnel with sufficient information security and information system knowledge to determine the appropriateness of the proposed maintenance.
nonlocal maintenance | cryptographic protection
The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
Supplemental Guidance: Related controls: SC-8, SC-13.
The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.
Supplemental Guidance: Remote disconnect verification ensures that remote connections from nonlocal maintenance sessions have been terminated and are no longer available for use. Related control: SC-13.
References: FIPS Publications 140-2, 197, 201; NIST Special Publications 800-63, 800-88; CNSS Policy 15.