This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.

Priority: Medium

Category: Maintenance 

Services Associated with AWS:   

  • AWS Systems Manager, AWS Config

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate change management practices reviewed/approved the maintenance request(s)
  • Administrative: supporting documentation of a Vulnerability & Patch Management Program (VPMP) that addresses preventative maintenance operations
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing maintenance roles
  • Technical: screenshot of Configuration Management Database (CMDB) ticket  

Possible Technology Considerations : 

  • Identity & Access Management (IAM)
  • Change Control Solution
  • Configuration Management Database (CMDB)
  • IT Asset Management (ITAM)
  • Patch Management Solution 

What needs to be answered :  

Are controls in place that limit the tools, techniques, mechanisms, and employees used to maintain information systems, devices, and supporting systems? 

  • Controls on System Maintenance Tools
    Description: This check ensures that organizations have implemented controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. These controls are designed to mitigate the potential security risks associated with maintenance tools, which are used for diagnostic and repair actions on organizational systems. The controls may include approval, control, and monitoring of the use of maintenance tools to prevent the introduction of malicious code or unauthorized access.

More Details:   

Maintenance controls are restricted to IT support staff.