Navigate

CCI-000895

CCI-000895 Definition

Require that, prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system be sanitized and all nonvolatile storage media be removed or physically disconnected from the system and secured.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to sanitize, remove, or physically disconnect all nonvolatile storage media from the system prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed sanitizes, removes, or physically disconnects all nonvolatile storage media from the system prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals.

Compelling Evidence

1.) Policy for sanitizing work areas when uncleared maintenance personnel are present

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000895.

Control	Description
MA-5(1)	The organization: (a): Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1): Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; (2): Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and (b): Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.

Control

Description

MA-5(1)

The organization:

(a): Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
- (1): Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
- (2): Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and

(b): Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.