base control objective:
The organization approves, controls, monitors the use of, and maintains on an ongoing basis, information system maintenance tools.
supplemental objective information:
The intent of this control is to address the security-related issues arising from the hardware and software brought into the information system specifically for diagnostic and repair actions (e.g., a hardware or software packet sniffer that is introduced for the purpose of a particular maintenance activity). Hardware and/or software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch) are not covered by this control.
enhancements to the base objective:
(1) The organization inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modifications.
Enhancement Supplemental Guidance: Maintenance tools include, for example, diagnostic and test equipment used to conduct maintenance on the information system.
(2) The organization checks all media containing diagnostic and test programs for malicious code before the media are used in the information system.
(3) The organization prevents the unauthorized removal of maintenance equipment by one of the following:
(i) verifying that there is no organizational information contained on the equipment;
(ii) sanitizing or destroying the equipment;
(iii) retaining the equipment within the facility; or
(iv) obtaining an exemption from a designated organization official explicitly authorizing removal of the equipment from the facility.
(4) The organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only.
mapping to FIPS199 baseline:
MOD: base (1) (2)
HIGH: base (1) (2) (3)
related (regimented) controls:
documents referenced in SP800-53rev3 for MA-03: