CCI-000882

Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced.

Implementation Guidance

The organization being inspected/assessed clearly defines in its contracts and/or service level agreements the requirement that any IS used to conduct non-local maintenance and diagnostic services will have a security level at least as high as the security level implemented on the IS being serviced. Alternatively, the organization being inspected/assessed complies with MA-4 (3) CCIs 883 and 1631.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines contracts and/or service level agreements for all non-local maintenance and diagnostic services to ensure that any IS used for those services is required to have security level at least as high as the security level implemented on the IS being serviced. Alternatively, the organization conducting the inspection/assessment ensures the organization being inspected/assessed complies with MA-4 (3) CCIs 883 and 1631.

Compelling Evidence

1.) Policy that states remote maintenance and digital services must be performed from systems that are subject to comparable security controls as the remote computer being serviced

The controls below (if any) were marked by NIST as being related to CCI-000882.