Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
ma-2 |
controlled maintenance |
|||
|
assessment objective: Determine if the organization: |
|||
ma-2(a) |
ma-2(a)[1] |
schedules maintenance and repairs on information system components in accordance with: |
||
ma-2(a)[1][a] |
manufacturer or vendor specifications; and/or |
|||
ma-2(a)[1][b] |
organizational requirements; |
|||
ma-2(a)[2] |
performs maintenance and repairs on information system components in accordance with: |
|||
ma-2(a)[2][a] |
manufacturer or vendor specifications; and/or |
|||
ma-2(a)[2][b] |
organizational requirements; |
|||
ma-2(a)[3] |
documents maintenance and repairs on information system components in accordance with: |
|||
ma-2(a)[3][a] |
manufacturer or vendor specifications; and/or |
|||
ma-2(a)[3][b] |
organizational requirements; |
|||
ma-2(a)[4] |
reviews records of maintenance and repairs on information system components in accordance with: |
|||
ma-2(a)[4][a] |
manufacturer or vendor specifications; and/or |
|||
ma-2(a)[4][b] |
organizational requirements; |
|||
ma-2(b) |
ma-2(b)[1] |
approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; |
||
ma-2(b)[2] |
monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; |
|||
ma-2(c) |
ma-2(c)[1] |
defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; |
||
ma-2(c)[2] |
requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; |
|||
ma-2(d) |
sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; |
|||
ma-2(e) |
checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; |
|||
ma-2(f) |
ma-2(f)[1] |
defines maintenance-related information to be included in organizational maintenance records; and |
||
ma-2(f)[2] |
includes organization-defined maintenance-related information in organizational maintenance records. |
|||
potential assessment methods and objects: Examine: [select from: Information system maintenance policy; procedures addressing controlled information system maintenance; maintenance records; manufacturer/vendor maintenance specifications; equipment sanitization records; media sanitization records; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information system maintenance responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for media sanitization; system/network administrators]. Test: [select from: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system; organizational processes for sanitizing information system components; automated mechanisms supporting and/or implementing controlled maintenance; automated mechanisms implementing sanitization of information system components]. |
||||
