This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers.

[26] In general, system maintenance requirements tend to support the security objective of availability. However, improper system maintenance or a failure to perform maintenance can result in the unauthorized disclosure of CUI, thus compromising confidentiality of that information.

Priority: Medium

Category: Maintenance 

Services Associated with AWS:   

  • AWS Security Hub, AWS Incident Manager 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate change management practices reviewed/approved the maintenance request(s)
  • Administrative: supporting documentation of a Vulnerability & Patch Management Program (VPMP) that addresses preventative maintenance operations
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing maintenance roles
  • Technical: screenshot of Configuration Management Database (CMDB) ticket 

Possible Technology Considerations : 

  • Patch Management Solution
  • Change Control Solution
  • Configuration Management Database (CMDB)
  • IT Asset Management  (ITAM) 

What needs to be answered :  

Are IT maintenance tools managed? Is there a list of approved tools and their access and location is controlled? Is the maintenance performed on a defined schedule? Does company management approve maintenance activities? 

  • Incident Tracking, Documentation, and Reporting
    Description: This check ensures that organizations have established processes to track, document, and report system security incidents to designated officials and/or authorities both internal and external to the organization. The processes include maintaining incident records, evaluating incident details, and adhering to incident reporting requirements.

More Details:   

Regular maintenance conducted by IT support staff and all systems patched and updated as needed.