Doc:NIST SP 800-53r3 Appendix F/MA-2

From FISMApedia
Jump to: navigation, search

MA-2 CONTROLLED MAINTENANCE

Control: The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
b. Controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that a designated official explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; and
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.
Supplemental Guidance: The control is intended to address the information security aspects of the organization's information system maintenance program. Related controls: MP-6, SI-2.
Control Enhancements: