ARTIFACTS

MA: SYSTEM MAINTENANCE

HOW TO USE THIS PAGE

What's On This Page

Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.

Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.

The Source of the Artifacts

The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.

THE ESSENTIALS

Essential Artifacts for Risk-Based Cybersecurity Programs

This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for System Maintenance (MA); and documents that are widely used in the assessment of controls and control enhancements in the System Maintenance (MA) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.

CORE ARTIFACTS
WIDELY USED ARTIFACTS FOR SYSTEM MAINTENANCE (MA)
SYSTEM MAINTENANCE & PROCEDURES (MA)
System Maintenance policy
Information system design documentation
Information system configuration settings and associated documentation
Information system audit records
Security Authorization Package Documents: Security Plan Security Assessment Plan of Action and Milestones (POA&M)
ESSENTIALS
ACCESS CONTROL POLICY & PROCEDURES (AC)
Asset Inventory
AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU)
Configuration Management Plan
CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM)
Contingency Plan Plans related to a comprehensive Contingency Plan: Business Continuity Plans Disaster Recovery Plans Continuity of Operations Plans Crisis Communications Plans Critical Infrastructure Plans Cyber Incident Response Plans Insider Threat Implementation Plan Occupant Emergency Plans
CONTINGENCY PLANNING POLICY & PROCEDURES (CP)
Continuous Monitoring Strategy
Continuous Monitoring Plan
Enterprise Architecture (EA)
IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA)
INCIDENT RESPONSE POLICY & PROCEDURES (IR)
INFORMATION SECURITY PROGRAM PLAN (PM)
MEDIA PROTECTION POLICY & PROCEDURES (MP)
PERSONNEL SECURITY POLICY & PROCEDURES (PS)
PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE)
Privacy Impact Assessment
Privacy Program Plan
Risk Assessment
RISK ASSESSMENT POLICY & PROCEDURES (RA)
SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA)
SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT)
Security Configurations
SECURITY PLANNING POLICY & PROCEDURES (PL)
SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC)
SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI)
SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA)
System Interconnection Agreements
SYSTEM MAINTENANCE POLICY & PROCEDURES (MA)

POLICY & PROCEDURES

Policy & Procedures

Here you'll find a catalog of System Maintenance (MA) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.

POLICES & PROCEDURES	APPLICABLE CONTROL(S)
Access control POLICY & PROCEDURES	MA-5 (4) MA-5 (5)
Maintenance POLICY & PROCEDURES	MA-1
Physical and environmental protection policy	MA-5 (1)
Physical and environmental protection POLICY & PROCEDURES	MA-5 (4) MA-5 (5)
Procedures addressing controlled information system maintenance	MA-2 MA-2 (2)
Procedures addressing information system maintenance	MA-6 MA-6 (1) MA-6 (2) MA-6 (3)
Procedures addressing information system maintenance tools	MA-3 MA-3 (1) MA-3 (2) MA-3 (3) MA-3 (4)
Procedures addressing maintenance personnel	MA-5 MA-5 (1) MA-5 (2) MA-5 (3) MA-5 (4) MA-5 (5)
Procedures addressing non-local information system maintenance	MA-4 (2) MA-4 (5) MA-4 (6) MA-4 (7) MA-4 MA-4 (1) MA-4 (3) MA-4 (4)
Information system maintenance policy	MA-2 MA-2 (2) MA-3 MA-3 (1) MA-3 (2) MA-3 (3) MA-3 (4) MA-4 MA-4 (1) MA-4 (2) MA-4 (3) MA-4 (4) MA-4 (5) MA-4 (6) MA-4 (7) MA-5 MA-5 (1) MA-5 (2) MA-5 (3) MA-5 (4) MA-5 (5) MA-6 MA-6 (1) MA-6 (2) MA-6 (3)
Information system media protection policy	MA-5 (1) MA-5 (4) MA-5 (5)

ARTIFACTS — System Maintenance (MA) Evidence

Evidence, Records & Artifacts

ARTIFACT	APPLICABLE CONTROL(S)
Maintenance tool inspection records	MA-3 (1)
Maintenance tool usage records	MA-3 (4)
Manufacturer/vendor maintenance specifications	MA-2
Media sanitization records	MA-2
Media sanitization records	MA-3 (3)
Media sanitization records	MA-4 (3)
Memorandum of agreement	MA-5 (4)
Notifications supporting nonlocal maintenance sessions	MA-4 (5)
Personnel records	MA-5 (2)
Personnel records	MA-5 (3)
Reviews of maintenance and diagnostic session records	MA-4 (1)
Service provider contracts	MA-5 MA-6 MA-6 (1) MA-6 (2) MA-6 (3)
Service provider contracts and/or service-level agreements	MA-4 (3)
Service-level agreements	MA-5
Service-level agreements	MA-6 MA-6 (1) MA-6 (2) MA-6 (3)

LISTS

Maintenance Related Lists

These are the Maintenance related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.

LIST	APPLICABLE CONTROL(S)
List of audit events	MA-4 (1)
List of authorized personnel	MA-5
List of maintenance personnel requiring escort/supervision	MA-5 (1)
List of personnel authorized to use maintenance tools	MA-3 (4)
List of system components requiring predictive maintenance	MA-6 (2) MA-6 (3)
List of system components requiring preventive maintenance	MA-6 (1)

Go to The List of Lists

LINKS TO MAINTENANCE (MA) CONTROLS

Control	Control Enhancements
MA-1 MAINTENANCE \| SYSTEM MAINTENANCE POLICY & PROCEDURES
MA-2 MAINTENANCE \| CONTROLLED MAINTENANCE
	MA-2 (1) CONTROLLED MAINTENANCE \| RECORD CONTENT
	MA-2 (2) CONTROLLED MAINTENANCE \| AUTOMATED MAINTENANCE ACTIVITIES
MA-3 MAINTENANCE \| MAINTENANCE TOOLS
	MA-3 (1) MAINTENANCE TOOLS \| INSPECT TOOLS
	MA-3 (2) MAINTENANCE TOOLS \| INSPECT MEDIA
	MA-3 (3) MAINTENANCE TOOLS \| PREVENT UNAUTHORIZED REMOVAL
	MA-3 (4) MAINTENANCE TOOLS \| RESTRICTED TOOL USE
MA-4 MAINTENANCE \| NONLOCAL MAINTENANCE
	MA-4 (1) NONLOCAL MAINTENANCE \| AUDITING AND REVIEW
	MA-4 (2) NONLOCAL MAINTENANCE \| DOCUMENT NONLOCAL MAINTENANCE
	MA-4 (3) NONLOCAL MAINTENANCE \| COMPARABLE SECURITY / SANITIZATION
	MA-4 (4) NONLOCAL MAINTENANCE \| AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS
	MA-4 (5) NONLOCAL MAINTENANCE \| APPROVALS AND NOTIFICATIONS
	MA-4 (6) NONLOCAL MAINTENANCE \| CRYPTOGRAPHIC PROTECTION
	MA-4 (7) NONLOCAL MAINTENANCE \| REMOTE DISCONNECT VERIFICATION
MA-5 MAINTENANCE \| MAINTENANCE PERSONNEL
	MA-5 (1) MAINTENANCE PERSONNEL \| INDIVIDUALS WITHOUT APPROPRIATE ACCESS
	MA-5 (2) MAINTENANCE PERSONNEL \| SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS
	MA-5 (3) MAINTENANCE PERSONNEL \| CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS
	MA-5 (4) MAINTENANCE PERSONNEL \| FOREIGN NATIONALS
	MA-5 (5) MAINTENANCE PERSONNEL \| NONSYSTEM-RELATED MAINTENANCE
MA-6 MAINTENANCE \| TIMELY MAINTENANCE
	MA-6 (1) TIMELY MAINTENANCE \| PREVENTIVE MAINTENANCE
	MA-6 (2) TIMELY MAINTENANCE \| PREDICTIVE MAINTENANCE
	MA-6 (3) TIMELY MAINTENANCE \| AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE

Control	Control Enhancements
MA-1 MAINTENANCE \| SYSTEM MAINTENANCE POLICY & PROCEDURES
MA-2 MAINTENANCE \| CONTROLLED MAINTENANCE
	MA-2 (1) CONTROLLED MAINTENANCE \| RECORD CONTENT
	MA-2 (2) CONTROLLED MAINTENANCE \| AUTOMATED MAINTENANCE ACTIVITIES
MA-3 MAINTENANCE \| MAINTENANCE TOOLS
	MA-3 (1) MAINTENANCE TOOLS \| INSPECT TOOLS
	MA-3 (2) MAINTENANCE TOOLS \| INSPECT MEDIA
	MA-3 (3) MAINTENANCE TOOLS \| PREVENT UNAUTHORIZED REMOVAL
	MA-3 (4) MAINTENANCE TOOLS \| RESTRICTED TOOL USE
MA-4 MAINTENANCE \| NONLOCAL MAINTENANCE
	MA-4 (1) NONLOCAL MAINTENANCE \| AUDITING AND REVIEW
	MA-4 (2) NONLOCAL MAINTENANCE \| DOCUMENT NONLOCAL MAINTENANCE
	MA-4 (3) NONLOCAL MAINTENANCE \| COMPARABLE SECURITY / SANITIZATION
	MA-4 (4) NONLOCAL MAINTENANCE \| AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS
	MA-4 (5) NONLOCAL MAINTENANCE \| APPROVALS AND NOTIFICATIONS
	MA-4 (6) NONLOCAL MAINTENANCE \| CRYPTOGRAPHIC PROTECTION
	MA-4 (7) NONLOCAL MAINTENANCE \| REMOTE DISCONNECT VERIFICATION
MA-5 MAINTENANCE \| MAINTENANCE PERSONNEL
	MA-5 (1) MAINTENANCE PERSONNEL \| INDIVIDUALS WITHOUT APPROPRIATE ACCESS
	MA-5 (2) MAINTENANCE PERSONNEL \| SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS
	MA-5 (3) MAINTENANCE PERSONNEL \| CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS
	MA-5 (4) MAINTENANCE PERSONNEL \| FOREIGN NATIONALS
	MA-5 (5) MAINTENANCE PERSONNEL \| NONSYSTEM-RELATED MAINTENANCE
MA-6 MAINTENANCE \| TIMELY MAINTENANCE
	MA-6 (1) TIMELY MAINTENANCE \| PREVENTIVE MAINTENANCE
	MA-6 (2) TIMELY MAINTENANCE \| PREDICTIVE MAINTENANCE
	MA-6 (3) TIMELY MAINTENANCE \| AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE