Level 5 CMMC - CMMC Practices

MA.2.112  

Reference: CMMC 1.02

Family: MA

Level Introduced: 2

Practice:
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

CMMC Clarification:
Protect the tools used to perform maintenance. They must remain secure so they don’t introduce software viruses or other bugs into your system. Protect your maintenance processes so they aren’t used to hurt your network. Supervise the people responsible for maintenance activities. Make sure they don’t behave in a malicious manner.

Example
You are responsible for maintenance activities on your company’s machines. These activities can introduce software viruses or bugs into your system. To prevent this, make sure your maintenance tools protect from unauthorized access. Also, confirm that your organization manages or supervises everyone assigned to perform maintenance.

3.7.2

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Discussion:
This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.

Source: NIST Special Publication 800-171 Rev. 2

MA-3

MAINTENANCE TOOLS

Description:
The organization approves, controls, and monitors information system maintenance tools.

Supplemental Guidance:
This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02