MA-04-727 Nonlocal Maintenance

Nonlocal Maintenance

Control ID

MA-04-727

Control Name

Nonlocal Maintenance

Control Category

Maintenance

Functional Areas

Protect

Sub-Areas

Network Access and Perimeter Controls

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

December 8, 2016

Agency Implementation

Unless otherwise explicitly approved by the chief information security officer, the only acceptable method of nonlocal maintenance shall be a screen sharing session initiated by an authorized agency representative in which remote support personnel perform the necessary support actions under the visual observation of the agency representative. The agency representative shall retain the ability to terminate the screen sharing session at any time.

Risk Statement

Unauthorized access is gained through diagnostic and configuration network ports.

Control Description

The organization: a. Approves and monitors nonlocal maintenance and diagnostic activities; b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system; c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintains records for nonlocal maintenance and diagnostic activities; and e. Terminates session and network connections when nonlocal maintenance is completed.

Control Example

The organization disables or controls network ports.

State Implementation

The state organization authorizes, monitors, and controls any remotely executed maintenance and diagnostic activities, if employed.

Testing Procedures

Obtain information system maintenance policy; procedures addressing remote maintenance for the information system; information system design documentation; information system configuration settings and associated documentation; maintenance records; audit records; security plan; other relevant documents or records and ascertain if : (I)the organization authorizes, monitors, and controls the execution of maintenance and diagnostic activities conducted remotely by individuals communicating through an external, non-organization-controlled network (e.g., the Internet), if employed. (ii)the organization documents in the security plan, the remote maintenance and diagnostic tools to be employed. (iii)the organization maintains records for all remote maintenance and diagnostic activities. (iv)the organization (or information system in certain cases) terminates all sessions and remote connections invoked in the performance of remote maintenance and diagnostic activity when the remote maintenance or diagnostics is completed. (v)the organization changes the passwords following each remote maintenance and diagnostic activity if password-based authentication is used to accomplish remote maintenance. (vi)the organization audits all remote maintenance and diagnostic sessions. (vii)appropriate organizational personnel (as deemed by the organization) review the maintenance records of remote sessions. (viii)the organization addresses the installation and use of remote maintenance and diagnostic links in the security plan for the information system.