home || catalog: SP800-53rev3 / class: Operational / family: (MA) Maintenance ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA

MA-01
MA-02 *
MA-03
MA-04
MA-05
MA-06

MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  MA-02: Controlled Maintenance  

base control objective:
The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
b. Controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that a designated official explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; and
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.

supplemental objective information:
The control is intended to address the information security aspects of the organization’s information system maintenance program.

enhancements to the base objective:

(1) The organization maintains maintenance records for the information system that include:
(a) Date and time of maintenance;
(b) Name of the individual performing the maintenance;
(c) Name of escort, if necessary;
(d) A description of the maintenance performed; and
(e) A list of equipment removed or replaced (including identification numbers, if applicable).

(2) The organization employs automated mechanisms to schedule, conduct, and document maintenance and repairs as required, producing up-to date, accurate, complete, and available records of all maintenance and repair actions, needed, in process, and completed.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1)     HIGH: base (1) (2)  

related (regimented) controls:

MP-06   Media Sanitization
SI-02   Flaw Remediation

documents referenced in SP800-53rev3 for MA-02:

Document Date Status Title
NIST SP800-24 August, 2000 current   PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does

Search SP800-53rev3 catalog: