home || catalog: SP800-53rev3 / class: Operational / family: (MA) Maintenance ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA

MA-01
MA-02
MA-03
MA-04
MA-05 *
MA-06

MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  MA-05: Maintenance Personnel  

base control objective:
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a current list of authorized maintenance organizations or personnel;
b. Ensures that personnel performing maintenance on the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise information system maintenance when maintenance personnel do not possess the required access authorizations.

supplemental objective information:
Individuals not previously identified in the information system, such as vendor personnel and consultants, may legitimately require privileged access to the system, for example, when required to conduct maintenance or diagnostic activities with little or no notice. Based on a prior assessment of risk, the organization may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for a very limited time period.

enhancements to the base objective:

(1) The organization maintains procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
(a) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
(b) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
(c) In the event an information system component cannot be sanitized, the procedures contained in the security plan for the system are enforced.
Enhancement Supplemental Guidance: The intent of this control enhancement is to deny individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified, national security information, controlled unclassified information, or any other sensitive information contained on the information system. Procedures for the use of maintenance personnel can be documented in the security plan for the information system.

(2) The organization ensures that personnel performing maintenance and diagnostic activities on classified, national security systems are cleared (i.e., possess appropriate security clearances) for the highest level of information on the system.

(3) The organization ensures that personnel performing maintenance and diagnostic activities on classified, national security systems are U.S. citizens.

(4) The organization ensures that:
(a) Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities an information systems only when those systems are jointly owned and operated by the U.S. and foreign allied governments, or owned and operated solely by foreign allied governments; and
(b) Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on information systems are fully documented within a Memorandum of Agreement.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:

IA-08   Identification and Authentication (Non-Organizational Users)
MA-05   Maintenance Personnel

documents referenced in SP800-53rev3 for MA-05:

None.

Document Date Status Title

Search SP800-53rev3 catalog: