Template:Cybersecurity/Maintenance
MA-1 System maintenance policy and procedures
This control recommends the organization develop, document, disseminate, review, and update system maintenance policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system maintenance action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
MA-2 Controlled maintenance
This control recommends the organization apply a "controlled maintenance" approach to its system. Not only should maintenance be regularly scheduled, performed, and thoroughly documented, but also that maintenance should be in-line with manufacturer, vendor, or organizational requirements. The maintenance should go through an approval and monitoring process whether conducted on- or off-site. Any off-site work will required proper data sanitization. After maintenance, the components and the system should be checked to ensure that all implemented controls still function as expected.
Additional resources:
MA-2 (2) Controlled maintenance: Automated maintenance activities
This control enhancement recommends the organization employ (or, ensure the system employs) some type of automation in scheduling, conducting, and/or documenting maintenance and repairs. That automated process should also ensure that all related documentation is complete and accurate in regards to requested, scheduled, processed, and completed maintenance and repair actions.
Additional resources:
MA-4 Non-local maintenance
This control recommends the organization place strong controls on non-local maintenance and diagnostics of the system or its components. "Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through either an external network (e.g., the Internet) or an internal network." Those controls include approving, monitoring, and thoroughly documenting non-local maintenance, ensuring the tools used in the process are documented and consistent with organizational policy, ensuring strong authenticators are employed during such maintenance sessions, and ensuring those sessions and network connections are terminated upon completion of maintenance activities.
Additional resources:
- NIST Special Publications 800-63-3
- NIST Special Publications 800-88, Rev. 1
- LIMSpec 10.15, 32.25, 34.4, and 35.3
MA-5 Maintenance personnel
This control recommends the organization establish a list of authorized third-party maintenance personnel and organizations and a process for vetting them. Additionally, a policy of ensuring those authorized personnel or organizations have the appropriate security authorizations and designated supervisory personnel when on-site.
Additional resources:
MA-6 Timely maintenance
This control recommends the organization designate a time frame between which system component failure and maintenance support or component acquisition takes place. This will likely involve identifying the system components that are critical to maintaining system operations and organizational goals.
Additional resources:
- No LIMSpec comp (organizational policy rather than system specification)
MA-6 (1) Timely maintenance: Preventative maintenance
This control enhancement recommends the organization take a preventative maintenance approach to its system and components, scheduling at a defined frequency specific preventative maintenance actions on specified system components.
Additional resources:
MA-6 (2) Timely maintenance: Predictive maintenance
This control enhancement recommends the organization take a predictive maintenance approach to its system and components. This essentially means using "principles of statistical process control to determine at what point in the future maintenance activities will be appropriate," particularly "when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold."
Additional resources:
