Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
(1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
(2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
(b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2.
References: None
NIST 800-53 (r5) Discussion:
Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems.
38North Guidance:
Meets Minimum Requirement:
The organization checks security clearances and citizenship before authorizing personnel to perform maintenance on the information system components
There are procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include requirements: a.2 and a.2 above
There are procedures for designating personnel with required access authorizations and technical competence to escort and supervise individuals who do not have needed access authorizations, clearances, or formal access approvals
There is list of individuals designated to escort and supervise maintenance personnel
There are procedures for sanitizing all volatile information storage components within the information system
There are procedures for removing or physically disconnected from the system and secured all nonvolatile storage media
There are procedures that describe the actions to be taken when a component cannot be sanitized, removed, or disconnected from the system
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
List of maintenance personnel, along with their security clearance level or US citizenship status
List of personnel that have been designated to escort and supervise maintenance personnel
All procedures describing the protection of system components from Individuals Without Appropriate Access, as described above
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited
Page updated
Report abuse