Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed.
NIST 800-53 (r4) Supplemental Guidance:
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17.
References: FIPS Publications 140-2, 197, 201; NIST Special Publications 800-63, 800-88; CNSS Policy 15.
NIST 800-53 (r5) Discussion:
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.
38North Guidance:
Meets Minimum Requirement:
There are procedures in place to approving and monitoring maintenance activity that occurs by individuals that are not physically present at the system (either via an internal or external network)
The System Security Plan clearly identifies the circumstances under which non-local maintenance and diagnostic tools are allowed (and ideally lists the tools that are approved for use, as well)
Authenticators used to establish internal or external network connections comply with Controls IA-2 and IA-5 and enhancements, as applicable
Non-local authentication activities are logged (e.g. electronically via auditing controls)
There are procedures in place to ensure that session and network connections are terminated once maintenance activities are completed
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Procedures for approving and monitoring non-local maintenance activities (either via an internal or external network)
Procedures for the management of sessions to allow non-local maintenance activities
List of maintenance tools that have been approved for use during non-local maintenance activities
Sampling of artifacts, such a logs, that show the details for sessions that were established for maintenance and diagnostic activities, as well and the actions that were performed during while the session was open
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse