An error occurred:

CCIs

Number Definition Status Related
CCI-000871 Prevent the unauthorized removal of maintenance equipment containing organizational information by: (a) verifying that there is no organizational information contained on the equipment; (b) sanitizing or destroying the equipment; (c) retaining the equipment within the facility; or (d) obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility. Draft MA-3(3)
CCI-000872 The organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only. Draft
CCI-000873 Approve nonlocal maintenance and diagnostic activities. Draft MA-4
CCI-000874 Monitor nonlocal maintenance and diagnostic activities. Draft MA-4
CCI-000875 The organization controls non-local maintenance and diagnostic activities. Draft
CCI-000876 Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system. Draft MA-4
CCI-000877 Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions. Draft MA-4
CCI-000878 Maintain records for nonlocal maintenance and diagnostic activities. Draft MA-4
CCI-000879 The organization terminates sessions and network connections when nonlocal maintenance is completed. Draft MA-4
CCI-000880 The organization audits non-local maintenance and diagnostic sessions. Draft
CCI-000881 The organization documents, in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. Draft MA-4(2)
CCI-000882 Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced. Draft MA-4(3)
CCI-000883 Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information). Draft MA-4(3)
CCI-000884 Protect nonlocal maintenance sessions by employing organization-defined authenticators that are replay resistant. Draft MA-4(4)
CCI-000885 The organization requires that maintenance personnel notify organization-defined personnel when non-local maintenance is planned (i.e., date/time). Draft
CCI-000886 Defines the personnel or roles to be notified of the date and time of planned nonlocal maintenance. Draft MA-4(5)
CCI-000887 Require the approval of each nonlocal maintenance session by organization-defined personnel or roles. Draft MA-4(5)
CCI-000888 The organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications. Draft
CCI-000889 The organization employs remote disconnect verification at the termination of non-local maintenance and diagnostic sessions. Draft
CCI-000890 Establish a process for maintenance personnel authorization. Draft MA-5
CCI-000891 Maintain a list of authorized maintenance organizations or personnel. Draft MA-5
CCI-000892 The organization ensures that personnel performing maintenance on the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise information system maintenance. Draft
CCI-000893 Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens. Draft MA-5(1)
CCI-000894 Requires maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals to be escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified. Draft MA-5(1)
CCI-000895 Require that, prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system be sanitized and all nonvolatile storage media be removed or physically disconnected from the system and secured. Draft MA-5(1)
CCI-000896 The organization requires that in the event an information system component cannot be sanitized, the procedures contained in the security plan for the system be enforced. Draft
CCI-000897 Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system. Draft MA-5(2)
CCI-000898 Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens. Draft MA-5(3)
CCI-000899 Ensure that cleared foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments. Draft MA-5(4)
CCI-000900 Ensure that that approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements. Draft MA-5(4)