Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 69
| Control ID | Title / Statement | Priority | Baseline Impact | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MA-1 |
System Maintenance Policy and Procedures
3 params
The organization:
a. Develops, documents, and disseminates to {{ insert: param, ma-1_prm_1 }}:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, managemen...
► View parameters
|
— | — | ||||||||||||
| MA-2 |
Controlled Maintenance
2 params
The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/o...
► View parameters
|
— | — | ||||||||||||
| MA-2(1) |
Record Content
|
— | — | ||||||||||||
| MA-2(2) |
Automated Maintenance Activities
The organization:
(a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and
(b) Produces up-to date, accurate, and complete records of all maintenance and...
|
— | — | ||||||||||||
| MA-3 |
Maintenance Tools
The organization approves, controls, and monitors information system maintenance tools.
|
— | — | ||||||||||||
| MA-3(1) |
Inspect Tools
The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
|
— | — | ||||||||||||
| MA-3(2) |
Inspect Media
The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.
|
— | — | ||||||||||||
| MA-3(3) |
Prevent Unauthorized Removal
1 param
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the eq...
► View parameters
|
— | — | ||||||||||||
| MA-3(4) |
Restricted Tool Use
The information system restricts the use of maintenance tools to authorized personnel only.
|
— | — | ||||||||||||
| MA-4 |
Nonlocal Maintenance
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational ...
|
— | — | ||||||||||||
| MA-4(1) |
Auditing and Review
1 param
The organization:
(a) Audits nonlocal maintenance and diagnostic sessions {{ insert: param, ma-4.1_prm_1 }}; and
(b) Reviews the records of the maintenance and diagnostic sessions.
► View parameters
|
— | — | ||||||||||||
| MA-4(2) |
Document Nonlocal Maintenance
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.
|
— | — | ||||||||||||
| MA-4(3) |
Comparable Security / Sanitization
The organization:
(a) Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability impleme...
|
— | — | ||||||||||||
| MA-4(4) |
Authentication / Separation of Maintenance Sessions
1 param
The organization protects nonlocal maintenance sessions by:
(a) Employing {{ insert: param, ma-4.4_prm_1 }}; and
(b) Separating the maintenance sessions from other network sessions with the inf...
► View parameters
|
— | — | ||||||||||||
| MA-4(5) |
Approvals and Notifications
2 params
The organization:
(a) Requires the approval of each nonlocal maintenance session by {{ insert: param, ma-4.5_prm_1 }}; and
(b) Notifies {{ insert: param, ma-4.5_prm_2 }} of the date and time of...
► View parameters
|
— | — | ||||||||||||
| MA-4(6) |
Cryptographic Protection
The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
|
— | — | ||||||||||||
| MA-4(7) |
Remote Disconnect Verification
The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.
|
— | — | ||||||||||||
| MA-5 |
Maintenance Personnel
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted person...
|
— | — | ||||||||||||
| MA-5(1) |
Individuals Without Appropriate Access
The organization:
(a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
(...
|
— | — | ||||||||||||
| MA-5(2) |
Security Clearances for Classified Systems
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security cleara...
|
— | — | ||||||||||||
| MA-5(3) |
Citizenship Requirements for Classified Systems
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens.
|
— | — | ||||||||||||
| MA-5(4) |
Foreign Nationals
The organization ensures that:
(a) Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classifie...
|
— | — | ||||||||||||
| MA-5(5) |
Nonsystem-related Maintenance
The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required...
|
— | — | ||||||||||||
| MA-6 |
Timely Maintenance
2 params
The organization obtains maintenance support and/or spare parts for {{ insert: param, ma-6_prm_1 }} within {{ insert: param, ma-6_prm_2 }} of failure.
► View parameters
|
— | — | ||||||||||||
| MA-6(1) |
Preventive Maintenance
2 params
The organization performs preventive maintenance on {{ insert: param, ma-6.1_prm_1 }} at {{ insert: param, ma-6.1_prm_2 }}.
► View parameters
|
— | — | ||||||||||||
| MA-6(2) |
Predictive Maintenance
2 params
The organization performs predictive maintenance on {{ insert: param, ma-6.2_prm_1 }} at {{ insert: param, ma-6.2_prm_2 }}.
► View parameters
|
— | — | ||||||||||||
| MA-6(3) |
Automated Support for Predictive Maintenance
The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system.
|
— | — | ||||||||||||
| └ ma-1a | Develops, documents, and disseminates to {{ insert: param, ma-1_prm_1 }}: | — | — | ||||||||||||
| └ ma-1a.1 | A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entiti... | — | — | ||||||||||||
| └ ma-1a.2 | Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and | — | — | ||||||||||||
| └ ma-1b | Reviews and updates the current: | — | — | ||||||||||||
| └ ma-1b.1 | System maintenance policy {{ insert: param, ma-1_prm_2 }}; and | — | — | ||||||||||||
| └ ma-1b.2 | System maintenance procedures {{ insert: param, ma-1_prm_3 }}. | — | — | ||||||||||||
| └ ma-2.2.(a) | Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and | — | — | ||||||||||||
| └ ma-2.2.(b) | Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed. | — | — | ||||||||||||
| └ ma-2a | Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or ... | — | — | ||||||||||||
| └ ma-2b | Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to... | — | — | ||||||||||||
| └ ma-2c | Requires that {{ insert: param, ma-2_prm_1 }} explicitly approve the removal of the information system or system components from organizational fac... | — | — | ||||||||||||
| └ ma-2d | Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or rep... | — | — | ||||||||||||
| └ ma-2e | Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair action... | — | — | ||||||||||||
| └ ma-2f | Includes {{ insert: param, ma-2_prm_2 }} in organizational maintenance records. | — | — | ||||||||||||
| └ ma-3.3.(a) | Verifying that there is no organizational information contained on the equipment; | — | — | ||||||||||||
| └ ma-3.3.(b) | Sanitizing or destroying the equipment; | — | — | ||||||||||||
| └ ma-3.3.(c) | Retaining the equipment within the facility; or | — | — | ||||||||||||
| └ ma-3.3.(d) | Obtaining an exemption from {{ insert: param, ma-3.3_prm_1 }} explicitly authorizing removal of the equipment from the facility. | — | — | ||||||||||||
| └ ma-4.1.(a) | Audits nonlocal maintenance and diagnostic sessions {{ insert: param, ma-4.1_prm_1 }}; and | — | — | ||||||||||||
| └ ma-4.1.(b) | Reviews the records of the maintenance and diagnostic sessions. | — | — | ||||||||||||
| └ ma-4.3.(a) | Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable... | — | — | ||||||||||||
| └ ma-4.3.(b) | Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (wit... | — | — | ||||||||||||
| └ ma-4.4.(a) | Employing {{ insert: param, ma-4.4_prm_1 }}; and | — | — | ||||||||||||
| └ ma-4.4.(b) | Separating the maintenance sessions from other network sessions with the information system by either: | — | — | ||||||||||||
| └ ma-4.4.(b).(1) | Physically separated communications paths; or | — | — | ||||||||||||
| └ ma-4.4.(b).(2) | Logically separated communications paths based upon encryption. | — | — | ||||||||||||
| └ ma-4.5.(a) | Requires the approval of each nonlocal maintenance session by {{ insert: param, ma-4.5_prm_1 }}; and | — | — | ||||||||||||
| └ ma-4.5.(b) | Notifies {{ insert: param, ma-4.5_prm_2 }} of the date and time of planned nonlocal maintenance. | — | — | ||||||||||||
| └ ma-4a | Approves and monitors nonlocal maintenance and diagnostic activities; | — | — | ||||||||||||
| └ ma-4b | Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for t... | — | — | ||||||||||||
| └ ma-4c | Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; | — | — | ||||||||||||
| └ ma-4d | Maintains records for nonlocal maintenance and diagnostic activities; and | — | — | ||||||||||||
| └ ma-4e | Terminates session and network connections when nonlocal maintenance is completed. | — | — | ||||||||||||
| └ ma-5.1.(a) | Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the fol... | — | — | ||||||||||||
| └ ma-5.1.(a).(1) | Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the p... | — | — | ||||||||||||
| └ ma-5.1.(a).(2) | Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access app... | — | — | ||||||||||||
| └ ma-5.1.(b) | Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected fr... | — | — | ||||||||||||
| └ ma-5.4.(a) | Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities... | — | — | ||||||||||||
| └ ma-5.4.(b) | Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on... | — | — | ||||||||||||
| └ ma-5a | Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel; | — | — | ||||||||||||
| └ ma-5b | Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and | — | — | ||||||||||||
| └ ma-5c | Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personn... | — | — |