03.07.04: Maintenance Tools
Control Familly: Maintenance
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-88 [50]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.07.04
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
MA-03
MA-03(01)
MA-03(02)
MA-03(03)
a. Approve, control, and monitor the use of system maintenance tools.
b. Check media with diagnostic and test programs for malicious code before it is used in the system.
c. Prevent the removal of system maintenance equipment containing CUI by verifying that there is no CUI on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility.
Discussion:
Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with the tools that are used for diagnostic and repair actions on the system. Maintenance tools can include hardware and software diagnostic and test equipment as well as packet sniffers. The tools may be preinstalled, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Diagnostic and test programs are potential vehicles for transporting malicious code into the system, either intentionally or unintentionally. Examples of media inspection include checking the cryptographic hash or digital signatures of diagnostic and test programs and media.
If organizations inspect media that contain diagnostic and test programs and determine that the media also contain malicious code, the incident is handled consistent with incident handling policies and procedures. A periodic review of system maintenance tools can result in the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools do not address the hardware and software components that support maintenance and are considered a part of the system.
Assessment Methods and Objectives
Examine [SELECT FROM: maintenance policy and procedures; procedures for system maintenance tools; system maintenance tools; maintenance tool inspection records; equipment sanitization records; media sanitization records; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with system maintenance responsibilities; personnel responsible for media sanitization; personnel with information security responsibilities]
Test [SELECT FROM: processes for approving, controlling, and monitoring maintenance tools; mechanisms for supporting or implementing the approval, control, or monitoring of maintenance tools; processes for preventing the unauthorized removal of information; processes for inspecting media for malicious code; mechanisms for supporting media sanitization or the destruction of equipment; mechanisms for supporting the verification of media sanitization; processes for inspecting maintenance tools; mechanisms for supporting or implementing the inspection of maintenance tools; mechanisms for supporting or implementing the inspection of media used for maintenance]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.07.04.a[01]: the use of system maintenance tools is approved.
A.03.07.04.a[02]: the use of system maintenance tools is controlled.
A.03.07.04.a[03]: the use of system maintenance tools is monitored.
A.03.07.04.b: media with diagnostic and test programs are checked for malicious code before the media are used in the system.
A.03.07.04.c: the removal of system maintenance equipment containing CUI is prevented by verifying that there is no CUI on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A