MA-6 Timely Maintenance (M) (H)

NIST 800-53 (r4) Control:

The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.

NIST 800-53 (r4) Supplemental Guidance:

Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place. Related controls: CM-8, CP-2, CP-7, SA-14, SA-15.

References: None

NIST 800-53 (r5) Discussion:

Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.

38North Guidance:

Meets Minimum Requirement:

• Maintains a list of system components with an increased risk to organizational operations for which maintenance support and/or spare parts must be obtained

• Maintains a list of timeframes, after failure, for when maintenance support and/or spare parts must be obtained

• Has procedures in place to ensure maintenance or replacement timeframes are met (e.g. who do they contact, within what timeframes to ensure delivery, who is responsible for requesting maintenance or spare parts)

Best Practice:

• TBD

Unofficial FedRAMP Guidance: None

Assessment Evidence:

• Contract/Service Level Agreements with external entities for maintenance support or to receive spare parts

• List of system components with an increased risk to organizational operations for which maintenance support and/or spare parts must be obtained

• List of timeframes, after failure, for when maintenance support and/or spare parts must be obtained

• Procedures to ensure required timeframes are met

CSP Implementation Tips:

• Amazon Web Services (AWS): Fully Inherited

• Microsoft Azure: Fully Inherited

• Google Cloud Platform: Fully Inherited