1. Home
  2. FedRAMP
  3. MA-3

BRACKETOLOGY | FEDRAMP

MA-3: MAINTENANCE TOOLS

  • FedRAMP Baseline Membership MA-3:
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization approves, controls, and monitors information system maintenance tools.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.

SUPPLEMENTAL GUIDANCE

This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch.

CONTROL ENHANCEMENTS

MA-3 (1) MAINTENANCE TOOLS | INSPECT TOOLS
  • FedRAMP Baseline Membership MA-3 (1):
  • MODERATE
  • HIGH

The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.

Supplemental Guidance:

If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.

RELATED CONTROLS: MA-3 (1)

MA-3 (2) MAINTENANCE TOOLS | INSPECT MEDIA
  • FedRAMP Baseline Membership MA-3 (2):
  • MODERATE
  • HIGH

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

Supplemental Guidance:

If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.

RELATED CONTROLS: MA-3 (2)

MA-3 (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL
  • FedRAMP Baseline Membership MA-3 (3):
  • MODERATE
  • HIGH

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

    • (a) Verifying that there is no organizational information contained on the equipment;
    • (b) Sanitizing or destroying the equipment;
    • (c) Retaining the equipment within the facility; or
    • (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

  • (a) Verifying that there is no organizational information contained on the equipment;
  • (b) Sanitizing or destroying the equipment;
  • (c) Retaining the equipment within the facility; or
  • (d) Obtaining an exemption from [the information owner explicitly authorizes removal of the equipment from the facility explicitly authorizing removal of the equipment from the facility.

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

  • (a) Verifying that there is no organizational information contained on the equipment;
  • (b) Sanitizing or destroying the equipment;
  • (c) Retaining the equipment within the facility; or
  • (d) Obtaining an exemption from [the information owner explicitly authorizes removal of the equipment from the facility explicitly authorizing removal of the equipment from the facility.

Supplemental Guidance:

Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards.

MA-3 (4) MAINTENANCE TOOLS | RESTRICTED TOOL USE

The information system restricts the use of maintenance tools to authorized personnel only.

Supplemental Guidance:

This control enhancement applies to information systems that are used to carry out maintenance functions.

RELATED CONTROLS: MA-3 (4)

REFERENCES:

  • NIST Special Publication 800-88