This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.
NIST 800-53 (r4) Supplemental Guidance:
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2.
References: None
NIST 800-53 (r5) Discussion:
Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems.
38North Guidance:
Meets Minimum Requirement:
Organization has well-documented repeatable procedures for the maintenance and repairs of all system components
Organization maintains records of all onsite and offsite maintenance activities, inclusive of all maintenance-related information in requirement MA-2.f. and approvals.
If an external vendor is used to perform maintenance activities:
There is a contract with specific language about how maintenance will be performed
There are records that show that components were sanitized prior to leaving the controlled facilities
Components are tagged and tracked by chain of custody documentation
There is a list of security controls that are checked when components are returned
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Maintenance schedule
Maintenance records that show the type of maintenance performed, who performed the maintenance and who approved the maintenance
If components are removed for maintenance:
Maintenance contract with external vendor
Approval to remove system component and chain of custody documentation
Procedures and evidence that component was sanitized before leaving the controlled facility
Procedures and evidence that a component's security controls are checked following maintenance activities
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited