home || catalog: SP800-53rev3 / class: Operational / family: (MA) Maintenance ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA

MA-01
MA-02
MA-03
MA-04 *
MA-05
MA-06

MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  MA-04: Non-local Maintenance  

base control objective:
The organization:
a. Authorizes, monitors, and controls non-local maintenance and diagnostic activities;
b. Allows the use of non-local maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions;
d. Maintains records for non-local maintenance and diagnostic activities; and
e. Terminates all sessions and network connections when non-local maintenance is completed.

supplemental objective information:
Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. The organization may employ compensating controls such as physical access controls and protected distribution systems so that co-located system administration and/or maintenance activities are not considered networked. Identification and authentication techniques used in the establishment of non-local maintenance and diagnostic sessions are consistent with the network access requirements in IA-2. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, pass-phrase or biometric. Enforcing requirements in MA-4 is accomplished in part, by other controls.

enhancements to the base objective:

(1) The organization audits non-local maintenance and diagnostic sessions and designated organizational personnel review the maintenance records of the sessions.

(2) The organization documents, in the security plan for the information system, the installation and use of non-local maintenance and diagnostic connections.

(3) The organization:
(a) Requires that non-local maintenance and diagnostic services be performed from an information system that implements a level of security at least as high as that implemented on the system being serviced; or
(b) Removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software and surreptitious implants) before reconnecting the component to the information system.

(4) The organization protects non-local maintenance sessions through the use of a strong authenticator tightly bound to the user and either:
(a) Physically separated communications paths; or
(b) Logically separated communications paths based upon either: - NSA-approved cryptographic mechanisms used to protect classified, national security information from individuals who lack the necessary clearance; or - FIPS-validated cryptographic mechanisms used to protect information from individuals who lack the necessary access approvals.

(5) The organization requires that:
(a) Maintenance personnel notify the [Assignment: organization-defined personnel] when non-local maintenance is planned (i.e., date/time); and
(b) A designated organizational official with specific information security/information system knowledge approves the non-local maintenance.

(6) The organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.

(7) The organization employs remote disconnect verification at the termination of non-local maintenance and diagnostic sessions.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1) (2)     HIGH: base (1) (2) (3)  

related (regimented) controls:

AC-02   Account Management
AC-03   Access Enforcement
AC-06   Least Privilege
AC-17   Remote Access
AU-02   Auditable Events
AU-03   Content of Audit Records
IA-02   User Identification and Authentication (Organizational Users)
IA-08   Identification and Authentication (Non-Organizational Users)
MA-05   Maintenance Personnel
MP-06   Media Sanitization
SC-07   Boundary Protection

documents referenced in SP800-53rev3 for MA-04:

Document Date Status Title
NIST SP800-113 July, 2008 current   Guide to SSL VPNs
NIST SP800-63 April, 2006 current   Electronic Authentication Guideline
NIST SP800-77 December, 2005 current   Guide to IPsec VPNs
NIST SP800-88 September, 2006 current   Guidelines for Media Sanitization

Search SP800-53rev3 catalog: