Skip to Content

NIST 800-171 - Maintenance Tools (3.7.2)

164  Matthew Burdick September 27, 2022  Maintenance

Overview:
Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.


Action Items:
3.7.2[a]
Determine if: tools used to conduct system maintenance are controlled.


3.7.2[b]
Determine if: techniques used to conduct system maintenance are controlled.


3.7.2[c]
Determine if: mechanisms used to conduct system maintenance are controlled.


3.7.2[d]
Determine if: personnel used to conduct system maintenance are controlled.


POTENTIAL ASSESSMENT METHODS AND OBJECTS


1
Examine: System maintenance policy; procedures addressing system maintenance tools and media; maintenance records; system maintenance tools and associated documentation; maintenance tool inspection records; system security plan; other relevant documents or records].


2
Interview: Personnel with system maintenance responsibilities; personnel with information security responsibilities].


3
Test: Organizational processes for approving, controlling, and monitoring maintenance tools; mechanisms supporting or implementing approval, control, and monitoring of maintenance tools; organizational processes for inspecting maintenance tools; mechanisms supporting or implementing inspection of maintenance tools; organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance].


Related Documents (document name and content will vary by organization):
1) System maintenance policy
2) procedures addressing system maintenance tools and media
3) maintenance records
4) system maintenance tools and associated documentation
5) maintenance tool inspection records
6) system security plan
7) other relevant documents or records


Additional Guidance:
This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools.


Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational systems. Maintenance tools can include, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.
Not Rated
Secure Code