Organizational Control: Nonlocal Maintenance

Control ID: MA-4 Nonlocal Maintenance Family: Maintenance Source: NIST 800-53r4
Control: The organization:
  1. Approves and monitors nonlocal maintenance and diagnostic activities;
  2. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
  3. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
  4. Maintains records for nonlocal maintenance and diagnostic activities; and
  5. Terminates session and network connections when nonlocal maintenance is completed.
Supplemental Guidance:
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g.,the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

Related Controls: AC-2, AC-3, AC-6, AC-17, AU-2, IA-2, IA-4, IA-5, MA-2, MA-5, MP-6, PL-2, SC-7, SC-17, AU-3, IA-8, SC-10
Control Enhancements:
(2) Nonlocal Maintenance | Document Nonlocal Maintenance
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.
Supplemental Guidance:
Related Controls: N/A

(3) Nonlocal Maintenance | Comparable Security / Sanitization
The organization:
  1. Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or
  2. Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.

Supplemental Guidance: Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced.
Related Controls: MA-3, SA-12, SI-3, SI-7
References: FIPS Publications 140-2, 197, 201; NIST Special Publications 800-63, 800-88; CNSS Policy 15.
Mechanisms:

Protocol Implementation Conformance Statements: N/A