Practice MA.L2-3.7.2 Details - Revision history

David at 00:53, 16 March 2025

2025-03-16T00:53:07Z

← Older revision		Revision as of 00:53, 16 March 2025
Line 19:		Line 19:
	'''Interview'''		'''Interview'''

	[SELECT FROM: Personnel with system maintenance responsibilities;personnel with information security responsibilities].		[SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities].

	'''Test'''		'''Test'''

	[SELECT FROM: Organizational processes for approving, controlling, and monitoring maintenance tools;mechanisms supporting or implementing approval, control, and monitoring of maintenance tools; organizational processes for inspecting maintenance tools;mechanisms supporting or implementing inspection of maintenance tools; organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance].		[SELECT FROM: Organizational processes for approving, controlling, and monitoring maintenance tools; mechanisms supporting or implementing approval, control, and monitoring of maintenance tools; organizational processes for inspecting maintenance tools; mechanisms supporting or implementing inspection of maintenance tools; organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance].
	=== DISCUSSION ===		=== DISCUSSION ===
	This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.		This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.
	=== FURTHER DISCUSSION ===		=== FURTHER DISCUSSION ===
	Tools used to perform maintenance must remain secure so they do not introduce viruses or other malware into your system.Controlling your maintenance techniques prevents intentional or unintentional harm to your network and systems. Additionally, the personnel responsible for maintenance activities should be supervised considering their elevated privilege on company assets.		Tools used to perform maintenance must remain secure so they do not introduce viruses or other malware into your system. Controlling your maintenance techniques prevents intentional or unintentional harm to your network and systems. Additionally, the personnel responsible for maintenance activities should be supervised considering their elevated privilege on company assets.

	'''Example'''		'''Example'''

	You are responsible for maintenance activities on your company’s machines.To avoid introducing additional vulnerability into the systems you are maintaining, you make sure that all maintenance tools are approved and their usage is monitored and controlled [a,b].You ensure the tools are kept current and up-to-date [a]. You and your backup are the only people authorized to use these tools and perform system maintenance [d].		You are responsible for maintenance activities on your company’s machines. To avoid introducing additional vulnerability into the systems you are maintaining, you make sure that all maintenance tools are approved and their usage is monitored and controlled [a,b]. You ensure the tools are kept current and up-to-date [a]. You and your backup are the only people authorized to use these tools and perform system maintenance [d].

	'''Potential Assessment Considerations'''		'''Potential Assessment Considerations'''

David at 23:06, 15 March 2025

2025-03-15T23:06:22Z

← Older revision		Revision as of 23:06, 15 March 2025
Line 1:		Line 1:
	'''Source of Reference: The official [https://~~www~~.~~acq~~.~~osd.mil~~/cmmc/~~documentation.html~~ CMMC Level 2 Assessment Guide] from the ~~Office of the Under Secretary~~ of Defense ~~Acquisition & Sustainment~~.'''		'''Source of Reference: The official [https://dodcio.defense.gov/cmmc/Resources-Documentation/ CMMC Level 2 Assessment Guide] from the Department of Defense Chief Information Officer (DoD CIO).'''

	For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.		For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

Wikiadmin: Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL == === SECURITY REQUIREMENT === Provide controls on the tools, techniques, mechanisms, and personnel used to conduct s..."

2022-02-25T23:20:26Z

Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL == === SECURITY REQUIREMENT === Provide controls on the tools, techniques, mechanisms, and personnel used to conduct s..."

New page

'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.'''

For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.

== MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL ==
=== SECURITY REQUIREMENT ===
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
=== ASSESSMENT OBJECTIVES ===
Determine if:
: [a] tools used to conduct system maintenance are controlled;
: [b] techniques used to conduct system maintenance are controlled;
: [c] mechanisms used to conduct system maintenance are controlled; and
: [d] personnel used to conduct system maintenance are controlled.
=== POTENTIAL ASSESSMENT METHODS AND OBJECTS ===
'''Examine'''

[SELECT FROM: System maintenance policy; procedures addressing system maintenance tools and media; maintenance records; system maintenance tools and associated documentation; maintenance tool inspection records; system security plan; other relevant documents or records].

'''Interview'''

[SELECT FROM: Personnel with system maintenance responsibilities;personnel with information security responsibilities].

'''Test'''

[SELECT FROM: Organizational processes for approving, controlling, and monitoring maintenance tools;mechanisms supporting or implementing approval, control, and monitoring of maintenance tools; organizational processes for inspecting maintenance tools;mechanisms supporting or implementing inspection of maintenance tools; organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance].
=== DISCUSSION ===
This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.
=== FURTHER DISCUSSION ===
Tools used to perform maintenance must remain secure so they do not introduce viruses or other malware into your system.Controlling your maintenance techniques prevents intentional or unintentional harm to your network and systems. Additionally, the personnel responsible for maintenance activities should be supervised considering their elevated privilege on company assets.

'''Example'''

You are responsible for maintenance activities on your company’s machines.To avoid introducing additional vulnerability into the systems you are maintaining, you make sure that all maintenance tools are approved and their usage is monitored and controlled [a,b].You ensure the tools are kept current and up-to-date [a]. You and your backup are the only people authorized to use these tools and perform system maintenance [d].

'''Potential Assessment Considerations'''
* Are physical or logical access controls used to limit access to maintenance tools to authorized personnel [a]?
* Are physical or logical access controls used to limit access to system documentation and organizational maintenance process documentation to authorized personnel [b]?
* Are physical or logical access controls used to limit access to automated mechanisms (e.g., automated scripts, scheduled jobs) to authorized personnel [c]?
* Are physical or logical access controls used to limit access to the system entry points that enable maintenance (e.g., administrative portals, local and remote console access, and physical equipment panels) to authorized personnel [d]?
=== KEY REFERENCES ===
* NIST SP 800-171 Rev 2 3.7.2