Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization approves, controls, and monitors information system maintenance tools.
NIST 800-53 (r4) Supplemental Guidance:
This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6.
References: NIST Special Publication 800-88.
NIST 800-53 (r5) Discussion:
Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as ping, ls, ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.
38North Guidance:
Meets Minimum Requirement:
The organization has an established, repeatable process for formally approving maintenance tools for diagnostic and repair actions
A list of approved tools (i.e. hardware, software, and firmware) is maintained and periodically reviewed
Maintenance tools brought into the environment are always checked against the approved list to ensure that they are acceptable before use
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Process that is used to approve maintenance tools
Process to periodically review the approved list of maintenance tools to remove outdated, unsupported, irrelevant, or no-longer-used tools
List of maintenance tools that have been approved for use in the environment, and by whom
Process for controlling and monitoring the use of approved maintenance tools
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited
Page updated
Report abuse