Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
NIST 800-53 (r4) Supplemental Guidance:
This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3.
References: None
NIST 800-53 (r5) Discussion:
Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.
38North Guidance:
Meets Minimum Requirement:
There are procedures for authorizing maintenance personnel performing hardware or software maintenance on organizational information systems
There is a list of maintenance personnel or organizations that have successfully completed the authorization process
There are procedures for checking the list of authorized individuals, before they are granted access, to determine if they are authorized and do not need to be escorted
There are procedures for designating personnel with required access authorizations and technical competence to supervise the maintenance activities of individuals that have not completed the access authorization process
There is list of individuals designated to supervise maintenance personnel
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Procedure for authorizing maintenance personnel performing hardware or software maintenance on organizational information systems
Procedure for checking names before they are granted access to perform maintenance procedures
List of individuals or organizations that have successfully completed the authorization process
Sample of names from the authorized list, and the matching authorization showing that they completed the process
List of personnel that have been designated to supervise maintenance personnel
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited
Page updated
Report abuse