MA-02-727 Controlled Maintenance

Controlled Maintenance

Control ID

MA-02-727

Control Name

Controlled Maintenance

Control Category

Maintenance

Functional Areas

Protect

Sub-Areas

Physical and Environmental Protection

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

December 8, 2016

Agency Implementation

The IT operations manager shall ensure information resources are maintained in accordance with manufacturer or vendor specifications. Any non-routine maintenance shall be approved by the IT operations manager and documented in the support incident record. All storage media shall be removed from the information resource before it is sent to off-site maintenance.

Risk Statement

Unforeseen hardware failures occur due to lack of up to date maintenance records.

Control Description

The organization: a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.

Control Example

The organization maintains, updates and accepts maintenance records according to vendor specifications.

State Implementation

The state organization schedules, performs, documents, and reviews records of routine preventative and regular maintenance (including repairs) on the components of the information system in accordance with manufacturer or vendor specifications and/or organizational requirements.

Testing Procedures

Obtain information system maintenance policy; procedures addressing controlled maintenance for the information system; maintenance records; manufacturer/vendor maintenance specifications; other relevant documents or records and ascertain if: (I)the organization schedules, performs, documents, and reviews records of routine preventative and regular maintenance (including repairs) on the components of the information system in accordance with manufacturer or vendor specifications and/or organizational requirements. (ii)the organization maintains maintenance records for the information system that include: (I) the date and time of maintenance; (ii) name of the individual performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) a list of equipment removed or replaced (including identification numbers, if applicable).