MA 3 MAINTENANCE TOOLS - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Approve, control, and monitor the use of system maintenance tools; and
• b. Review previously approved system maintenance tools [ Assignment: organization-defined frequency ].

Discussion: Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer- used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.

Related Controls: MA-2, PE-16.

Control Enhancements:

• (1) MAINTENANCE TOOLS | INSPECT TOOLS
  Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

  Discussion: Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.

  Related Controls: SI-7.

• (2) MAINTENANCE TOOLS | INSPECT MEDIA
  Check media containing diagnostic and test programs for malicious code before the media are used in the system.

  Discussion: If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures.

  Related Controls: SI-3.

• (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL
  Prevent the removal of maintenance equipment containing organizational information by:

  • (a) Verifying that there is no organizational information contained on the equipment;
  • (b) Sanitizing or destroying the equipment;
  • (c) Retaining the equipment within the facility; or
  • (d) Obtaining an exemption from [ Assignment: organization-defined personnel or roles ] explicitly authorizing removal of the equipment from the facility.

  Discussion: Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.

  Related Controls: MP-6.

• (4) MAINTENANCE TOOLS | RESTRICTED TOOL USE
  Restrict the use of maintenance tools to authorized personnel only.

  Discussion: Restricting the use of maintenance tools to only authorized personnel applies to systems that are used to carry out maintenance functions.

  Related Controls: AC-3, AC-5, AC-6.

• (5) MAINTENANCE TOOLS | EXECUTION WITH PRIVILEGE
  Monitor the use of maintenance tools that execute with increased privilege.

  Discussion: Maintenance tools that execute with increased system privilege can result in unauthorized access to organizational information and assets that would otherwise be inaccessible.

  Related Controls: AC-3, AC-6.

• (6) MAINTENANCE TOOLS | SOFTWARE UPDATES AND PATCHES
  Inspect maintenance tools to ensure the latest software updates and patches are installed.

  Discussion: Maintenance tools using outdated and/or unpatched software can provide a threat vector for adversaries and result in a significant vulnerability for organizations.

  Related Controls: AC-3, AC-6.

References: [SP 800-88].