|MA-4 (1) Auditing And Review || |
The organization: MA-4 (1)(a)
Audits nonlocal maintenance and diagnostic sessions Assignment: organization-defined audit events; and MA-4 (1)(b)
Reviews the records of the maintenance and diagnostic sessions.
|MA-4 (2) Document Nonlocal Maintenance ||MODERATE |
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.
|MA-4 (3) Comparable Security / Sanitization ||HIGH |
Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced.
The organization: MA-4 (3)(a)
Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or MA-4 (3)(b)
Removes the component to be serviced from the information system and prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.
|MA-4 (4) Authentication / Separation Of Maintenance Sessions || |
The organization protects nonlocal maintenance sessions by: MA-4 (4)(a)
Employing Assignment: organization-defined authenticators that are replay resistant; and MA-4 (4)(b)
Separating the maintenance sessions from other network sessions with the information system by either: MA-4 (4)(b)(1)
Physically separated communications paths; or MA-4 (4)(b)(2)
Logically separated communications paths based upon encryption.
|MA-4 (5) Approvals And Notifications || |
Notification may be performed by maintenance personnel. Approval of nonlocal maintenance sessions is accomplished by organizational personnel with sufficient information security and information system knowledge to determine the appropriateness of the proposed maintenance.
The organization: MA-4 (5)(a)
Requires the approval of each nonlocal maintenance session by Assignment: organization-defined personnel or roles; and MA-4 (5)(b)
Notifies Assignment: organization-defined personnel or roles of the date and time of planned nonlocal maintenance.
|MA-4 (6) Cryptographic Protection || |
The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
|MA-4 (7) Remote Disconnect Verification || |
Remote disconnect verification ensures that remote connections from nonlocal maintenance sessions have been terminated and are no longer available for use.
The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.