Practice MA.L2-3.7.1 Details: Difference between revisions
(Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == MA.L2-3.7.1 – PERFORM MAINTENANCE == === SECURITY REQUIREMENT === Perform maintenance on organizational systems.=== ASSESSMENT OBJECTIVES === Determine if: : [...") |
No edit summary |
||
Line 5: | Line 5: | ||
== MA.L2-3.7.1 – PERFORM MAINTENANCE == | == MA.L2-3.7.1 – PERFORM MAINTENANCE == | ||
=== SECURITY REQUIREMENT === | === SECURITY REQUIREMENT === | ||
Perform maintenance on organizational systems.=== ASSESSMENT OBJECTIVES === | Perform maintenance on organizational systems. | ||
=== ASSESSMENT OBJECTIVES === | |||
Determine if: | Determine if: | ||
: [a] system maintenance is performed. | : [a] system maintenance is performed. |
Latest revision as of 23:21, 25 February 2022
Source of Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
MA.L2-3.7.1 – PERFORM MAINTENANCE
SECURITY REQUIREMENT
Perform maintenance on organizational systems.
ASSESSMENT OBJECTIVES
Determine if:
- [a] system maintenance is performed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine
[SELECT FROM: System maintenance policy;procedures addressing controlled system maintenance; maintenance records; manufacturer or vendor maintenance specifications;equipment sanitization records; media sanitization records; system security plan; other relevant documents or records].
Interview
[SELECT FROM: Personnel with system maintenance responsibilities;personnel with information security responsibilities; personnel responsible for media sanitization; system or network administrators].
Test
[SELECT FROM: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for systems; organizational processes for sanitizing system components;mechanisms supporting or implementing controlled maintenance; mechanisms implementing sanitization of system components].
DISCUSSION
This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity.System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers.
FURTHER DISCUSSION
One common form of computer security maintenance is regular patching of discovered vulnerabilities in software and operating systems, though there are others that require attention.
System maintenance includes:
- corrective maintenance (e.g., repairing problems with the technology);
- preventative maintenance (e.g., updates to prevent potential problems);
- adaptive maintenance (e.g., changes to the operative environment); and
- perfective maintenance (e.g., improve operations).
Example
You are responsible for maintenance activities on your company’s machines. This includes regular planned maintenance, unscheduled maintenance, reconfigurations when required, and damage repairs [a]. You know that failing to conduct maintenance activities can impact system security and availability, so you ensure that maintenance is regularly performed. You track all maintenance performed to assist with troubleshooting later if needed.
Potential Assessment Considerations
- Are systems, devices, and supporting systems maintained per manufacturer recommendations or company defined schedules [a]?
KEY REFERENCES
- NIST SP 800-171 Rev 2 3.7.1