NIST 800-171 - Equipment Maintenance (3.7.1)

Overview:
Perform maintenance on organizational information systems.

Action Items:
3.7.1[a]
Determine if: system maintenance is performed.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: System maintenance policy; procedures addressing controlled system maintenance; maintenance records; manufacturer or vendor maintenance specifications; equipment sanitization records; media sanitization records; system security plan; other relevant documents or records].

2
Interview: Personnel with system maintenance responsibilities; personnel with information security responsibilities; personnel responsible for media sanitization; system or network administrators].

3
Test: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for systems; organizational processes for sanitizing system components; mechanisms supporting or implementing controlled maintenance; mechanisms implementing sanitization of system components].

Related Documents (document name and content will vary by organization):
1) System maintenance policy
2) procedures addressing controlled system maintenance
3) maintenance records
4) manufacturer or vendor maintenance specifications
5) equipment sanitization records
6) media sanitization records
7) system security plan
8) other relevant documents or records

Additional Guidance:
This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers.

Information necessary for creating effective maintenance records includes, for example: date and time of maintenance; name of individuals or group performing the maintenance; name of escort, if necessary; a description of the maintenance performed; and system components or equipment removed or replaced (including identification numbers, if applicable).