SPARC

Maintenance

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 77

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

MA-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}: 1. {{ insert: param, ma-01_odp.03 }} maintenance policy that: (a) Addresses purpose, scope, roles, responsibili...

► View parameters

Param ID	Label	Constraint / Choices
ma-1_prm_1	organization-defined personnel or roles	Organization-defined
ma-01_odp.01	personnel or roles	personnel or roles to whom the maintenance policy is to be disseminated is/are defined;
ma-01_odp.02	personnel or roles	personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;
ma-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
ma-01_odp.04	official	an official to manage the maintenance policy and procedures is defined;
ma-01_odp.05	frequency	the frequency with which the current maintenance policy is reviewed and updated is defined;
ma-01_odp.06	events	events that would require the current maintenance policy to be reviewed and updated are defined;
ma-01_odp.07	frequency	the frequency with which the current maintenance procedures are reviewed and updated is defined;
ma-01_odp.08	events	events that would require the maintenance procedures to be reviewed and updated are defined;

—

MA-02

Controlled Maintenance 3 params

a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;...

► View parameters

Param ID	Label	Constraint / Choices
ma-02_odp.01	personnel or roles	personnel or roles required to explicitly approve the removal of the system or system components from organizational ...
ma-02_odp.02	information	information to be removed from associated media prior to removal from organizational facilities for off-site maintena...
ma-02_odp.03	information	information to be included in organizational maintenance records is defined;

—

MA-02(01)

Record Content

—

MA-02(02)

Automated Maintenance Activities 4 params

(a) Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ insert: param, ma-2.2_prm_1 }} ; and (b) Produce up-to date, accurate, and complete reco...

► View parameters

Param ID	Label	Constraint / Choices
ma-2.2_prm_1	organization-defined automated mechanisms	Organization-defined
ma-02.02_odp.01	automated mechanisms	automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined;
ma-02.02_odp.02	automated mechanisms	automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined;
ma-02.02_odp.03	automated mechanisms	automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined;

—

MA-03

Maintenance Tools 1 param

a. Approve, control, and monitor the use of system maintenance tools; and b. Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ma-03_odp	frequency	frequency at which to review previously approved system maintenance tools is defined;

—

MA-03(01)

Inspect Tools

Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

—

MA-03(02)

Inspect Media

Check media containing diagnostic and test programs for malicious code before the media are used in the system.

—

MA-03(03)

Prevent Unauthorized Removal 1 param

Prevent the removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or de...

► View parameters

Param ID	Label	Constraint / Choices
ma-03.03_odp	personnel or roles	personnel or roles who can authorize removal of equipment from the facility is/are defined;

—

MA-03(04)

Restricted Tool Use

Restrict the use of maintenance tools to authorized personnel only.

—

MA-03(05)

Execution with Privilege

Monitor the use of maintenance tools that execute with increased privilege.

—

MA-03(06)

Software Updates and Patches

Inspect maintenance tools to ensure the latest software updates and patches are installed.

—

MA-04

Nonlocal Maintenance

a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented...

—

MA-04(01)

Logging and Review 3 params

(a) Log {{ insert: param, ma-4.1_prm_1 }} for nonlocal maintenance and diagnostic sessions; and (b) Review the audit records of the maintenance and diagnostic sessions to detect anomalous behav...

► View parameters

Param ID	Label	Constraint / Choices
ma-4.1_prm_1	organization-defined audit events	Organization-defined
ma-04.01_odp.01	audit events	audit events to be logged for nonlocal maintenance are defined;
ma-04.01_odp.02	audit events	audit events to be logged for diagnostic sessions are defined;

—

MA-04(02)

Document Nonlocal Maintenance

—

MA-04(03)

Comparable Security and Sanitization

(a) Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being service...

—

MA-04(04)

Authentication and Separation of Maintenance Sessions 1 param

Protect nonlocal maintenance sessions by: (a) Employing {{ insert: param, ma-04.04_odp }} ; and (b) Separating the maintenance sessions from other network sessions with the system by either: ...

► View parameters

Param ID	Label	Constraint / Choices
ma-04.04_odp	authenticators that are replay resistant	authenticators that are replay resistant are defined;

—

MA-04(05)

Approvals and Notifications 2 params

(a) Require the approval of each nonlocal maintenance session by {{ insert: param, ma-04.05_odp.01 }} ; and (b) Notify the following personnel or roles of the date and time of planned nonlocal ...

► View parameters

Param ID	Label	Constraint / Choices
ma-04.05_odp.01	personnel or roles	personnel or roles required to approve each nonlocal maintenance session is/are defined;
ma-04.05_odp.02	personnel and roles	personnel and roles to be notified of the date and time of planned nonlocal maintenance is/are defined;

—

MA-04(06)

Cryptographic Protection 1 param

Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: {{ insert: param, ma-04.06_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ma-04.06_odp	cryptographic mechanisms	cryptographic mechanisms to be implemented to protect the integrity and confidentiality of nonlocal maintenance and d...

—

MA-04(07)

Disconnect Verification

Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions.

—

MA-05

Maintenance Personnel

a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; b. Verify that non-escorted personnel performing mainten...

—

MA-05(01)

Individuals Without Appropriate Access 1 param

(a) Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1) Maintenance pers...

► View parameters

Param ID	Label	Constraint / Choices
ma-05.01_odp	alternate controls	alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed,...

—

MA-05(02)

Security Clearances for Classified Systems

Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approval...

—

MA-05(03)

Citizenship Requirements for Classified Systems

Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.

—

MA-05(04)

Foreign Nationals

Ensure that: (a) Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and...

—

MA-05(05)

Non-system Maintenance

Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.

—

MA-06

Timely Maintenance 2 params

Obtain maintenance support and/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.

► View parameters

Param ID	Label	Constraint / Choices
ma-06_odp.01	system components	system components for which maintenance support and/or spare parts are obtained are defined;
ma-06_odp.02	time period	time period within which maintenance support and/or spare parts are to be obtained after a failure are defined;

—

MA-06(01)

Preventive Maintenance 2 params

Perform preventive maintenance on {{ insert: param, ma-06.01_odp.01 }} at {{ insert: param, ma-06.01_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ma-06.01_odp.01	system components	system components on which preventive maintenance is to be performed are defined;
ma-06.01_odp.02	time intervals	time intervals within which preventive maintenance is to be performed on system components are defined;

—

MA-06(02)

Predictive Maintenance 2 params

Perform predictive maintenance on {{ insert: param, ma-06.02_odp.01 }} at {{ insert: param, ma-06.02_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ma-06.02_odp.01	system components	system components on which predictive maintenance is to be performed are defined;
ma-06.02_odp.02	time intervals	time intervals within which predictive maintenance is to be performed are defined;

—

MA-06(03)

Automated Support for Predictive Maintenance 1 param

Transfer predictive maintenance data to a maintenance management system using {{ insert: param, ma-06.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
ma-06.03_odp	automated mechanisms	automated mechanisms used to transfer predictive maintenance data to a maintenance management system are defined;

—

MA-07

Field Maintenance 2 params

Restrict or prohibit field maintenance on {{ insert: param, ma-07_odp.01 }} to {{ insert: param, ma-07_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ma-07_odp.01	systems or system components	systems or system components on which field maintenance is restricted or prohibited to trusted maintenance facilities...
ma-07_odp.02	trusted maintenance facilities	trusted maintenance facilities that are not restricted or prohibited from conducting field maintenance are defined;

—

└ ma-1a

Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:

—

└ ma-1a.1

{{ insert: param, ma-01_odp.03 }} maintenance policy that:

—

└ ma-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ ma-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ ma-1a.2

Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;

—

└ ma-1b

Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures...

—

└ ma-1c

Review and update the current maintenance:

—

└ ma-1c.1

Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and

—

└ ma-1c.2

Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}.

—

└ ma-2.2.(a)

Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ insert: param, ma-2.2_prm_1 }} ; and

—

└ ma-2.2.(b)

Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and comple...

—

└ ma-2a

Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor speci...

—

└ ma-2b

Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on s...

—

└ ma-2c

Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for...

—

└ ma-2d

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenan...

—

└ ma-2e

Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement ac...

—

└ ma-2f

Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}.

—

└ ma-3.3.(a)

Verifying that there is no organizational information contained on the equipment;

—

└ ma-3.3.(b)

Sanitizing or destroying the equipment;

—

└ ma-3.3.(c)

Retaining the equipment within the facility; or

—

└ ma-3.3.(d)

Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.

—

└ ma-3a

Approve, control, and monitor the use of system maintenance tools; and

—

└ ma-3b

Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}.

—

└ ma-4.1.(a)

Log {{ insert: param, ma-4.1_prm_1 }} for nonlocal maintenance and diagnostic sessions; and

—

└ ma-4.1.(b)

Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.

—

└ ma-4.3.(a)

Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capabi...

—

└ ma-4.3.(b)

Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizationa...

—

└ ma-4.4.(a)

Employing {{ insert: param, ma-04.04_odp }} ; and

—

└ ma-4.4.(b)

Separating the maintenance sessions from other network sessions with the system by either:

—

└ ma-4.4.(b).(1)

Physically separated communications paths; or

—

└ ma-4.4.(b).(2)

Logically separated communications paths.

—

└ ma-4.5.(a)

Require the approval of each nonlocal maintenance session by {{ insert: param, ma-04.05_odp.01 }} ; and

—

└ ma-4.5.(b)

Notify the following personnel or roles of the date and time of planned nonlocal maintenance: {{ insert: param, ma-04.05_odp.02 }}.

—

└ ma-4a

Approve and monitor nonlocal maintenance and diagnostic activities;

—

└ ma-4b

Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for th...

—

└ ma-4c

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;

—

└ ma-4d

Maintain records for nonlocal maintenance and diagnostic activities; and

—

└ ma-4e

Terminate session and network connections when nonlocal maintenance is completed.

—

└ ma-5.1.(a)

Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the foll...

—

└ ma-5.1.(a).(1)

Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the p...

—

└ ma-5.1.(a).(2)

Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access app...

—

└ ma-5.1.(b)

Develop and implement {{ insert: param, ma-05.01_odp }} in the event a system component cannot be sanitized, removed, or disconnected from the system.

—

└ ma-5.4.(a)

Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when th...

—

└ ma-5.4.(b)

Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on...

—

└ ma-5a

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;

—

└ ma-5b

Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

—

└ ma-5c

Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personne...

—