Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ma-4(3)

nonlocal maintenance  | comparable security / sanitization

assessment objective:

Determine if the organization:

ma-4(3)(a)  

requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or

ma-4(3)(b)

ma-4(3)(b)[1]

removes the component to be serviced from the information system;

ma-4(3)(b)[2]

sanitizes the component (with regard to organizational information) prior to nonlocal maintenance or diagnostic services and/or before removal from organizational facilities; and

ma-4(3)(b)[3]

inspects and sanitizes the component (with regard to potentially malicious software) after service is performed on the component and before reconnecting the component to the information system.

potential assessment methods and objects:

Examine: [select from: Information system maintenance policy; procedures addressing nonlocal information system maintenance; service provider contracts and/or service-level agreements; maintenance records; inspection records; audit records; equipment sanitization records; media sanitization records; other relevant documents or records].

Interview: [select from: Organizational personnel with information system maintenance responsibilities; information system maintenance provider; organizational personnel with information security responsibilities; organizational personnel responsible for media sanitization; system/network administrators].

Test: [select from: Organizational processes for comparable security and sanitization for nonlocal maintenance; organizational processes for removal, sanitization, and inspection of components serviced via nonlocal maintenance; automated mechanisms supporting and/or implementing component sanitization and inspection].