Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ma-5(1)

maintenance  personnel  | individuals without appropriate access

assessment objective:

Determine if the organization:

ma-5(1)(a)  

implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:

ma-5(1)(a)(1)

maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who:

ma-5(1)(a)(1)[1]

are fully cleared;

ma-5(1)(a)(1)[2]

have appropriate access authorizations;

ma-5(1)(a)(1)[3]

are technically qualified;

ma-5(1)(a)(2)

prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances, or formal access approvals:

ma-5(1)(a)(2)[1]

all volatile information storage components within the information system are sanitized; and

ma-5(1)(a)(2)[2]

all nonvolatile storage media are removed; or

ma-5(1)(a)(2)[3]

all nonvolatile storage media are physically disconnected from the system and secured; and

ma-5(1)(b)

develops and implements alternative security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.

potential assessment methods and objects:

Examine: [select from: Information system maintenance policy; procedures addressing maintenance personnel; information system media protection policy; physical and environmental protection policy; security plan; list of maintenance personnel requiring escort/supervision; maintenance records; access control records; other relevant documents or records].

Interview: [select from: Organizational personnel with information system maintenance responsibilities; organizational personnel with personnel security responsibilities; organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for media sanitization; system/network administrators].

Test: [select from: Organizational processes for managing maintenance personnel without appropriate access; automated mechanisms supporting and/or implementing alternative security safeguards; automated mechanisms supporting and/or implementing information storage component sanitization].