Navigate

CCI-000882

CCI-000882 Definition

The organization requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed clearly defines in its contracts and/or service level agreements the requirement that any IS used to conduct non-local maintenance and diagnostic services will have a security level at least as high as the security level implemented on the IS being serviced. Alternatively, the organization being inspected/assessed complies with MA-4 (3) CCIs 883 and 1631.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines contracts and/or service level agreements for all non-local maintenance and diagnostic services to ensure that any IS used for those services is required to have security level at least as high as the security level implemented on the IS being serviced. Alternatively, the organization conducting the inspection/assessment ensures the organization being inspected/assessed complies with MA-4 (3) CCIs 883 and 1631.

Compelling Evidence

1.) Policy that states remote maintenance and digital services must be performed from systems that are subject to comparable security controls as the remote computer being serviced

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000882.

Control	Description
MA-4 (3)	The organization: MA-4 (3)(a): Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or MA-4 (3)(b): Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.

Control

Description

MA-4 (3)

The organization:

MA-4 (3)(a): Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or

MA-4 (3)(b): Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.