Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
(b) Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.
NIST 800-53 (r4) Supplemental Guidance:
Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. Related controls: MA-3, SA-12, SI-3, SI-7.
References: FIPS Publications 140-2, 197, 201; NIST Special Publications 800-63, 800-88; CNSS Policy 15.
NIST 800-53 (r5) Discussion:
Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced.
38North Guidance:
Meets Minimum Requirement:
System Owner ensures that there are equivalent security controls implemented (e.g. people, processes, procedures) for the services that will be used to perform non-local system maintenance
There are procedures for the removal of information system component, which include ensuring that the component is sanitized and information has been removed before the non-local maintenance service is performed
There are procedures in place for the retrieval of information system components, which include inspecting and sanitizing (e.g. scanning) the component before it is reconnected to the information system to ensure that there are not any vulnerabilities being introduced
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
System Security Plan, External security audit, attestation, or other documentation that describes the security controls that have been implemented for the maintenance and diagnostic services being performed
Procedures for sanitizing and removing system information from an information system component when it need to be removed for non-local maintenance
Procedures for receiving, inspecting, and sanitizing an information system component before is it reconnected to the information system
Artifacts (e.g. checklists) that show procedures have been followed when an information system component was removed
Artifacts (e.g. checklists, scan results) that show procedures have been followed when an information system component was retrieved from non-local maintenance and reconnected to the information system after it was deemed to be properly sanitized
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse