compliance controls are associated with this Policy definition 'Maintain list of authorized remote maintenance personnel' (4ce91e4e-6dab-3c46-011a-aa14ae1561bf)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
MA-5 |
FedRAMP_High_R4_MA-5 |
FedRAMP High MA-5 |
Maintenance |
Maintenance Personnel |
Shared |
n/a |
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
Supplemental Guidance: This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3.
References: None. |
link |
3 |
| FedRAMP_Moderate_R4 |
MA-5 |
FedRAMP_Moderate_R4_MA-5 |
FedRAMP Moderate MA-5 |
Maintenance |
Maintenance Personnel |
Shared |
n/a |
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
Supplemental Guidance: This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3.
References: None. |
link |
3 |
| hipaa |
18109.08j1Organizational.4-08.j |
hipaa-18109.08j1Organizational.4-08.j |
18109.08j1Organizational.4-08.j |
18 Physical & Environmental Security |
18109.08j1Organizational.4-08.j 08.02 Equipment Security |
Shared |
n/a |
The organization maintains a list of authorized maintenance organizations or personnel, ensures that non-escorted personnel performing maintenance on the information system have required access authorizations, and designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
|
4 |
| hipaa |
1819.08j1Organizational.23-08.j |
hipaa-1819.08j1Organizational.23-08.j |
1819.08j1Organizational.23-08.j |
18 Physical & Environmental Security |
1819.08j1Organizational.23-08.j 08.02 Equipment Security |
Shared |
n/a |
Maintenance and service are controlled and conducted by authorized personnel in accordance with supplier-recommended intervals, insurance policies and the organization’s maintenance program, taking into account whether this maintenance is performed by personnel on site or external to the organization. |
|
7 |
| ISO27001-2013 |
A.11.1.2 |
ISO27001-2013_A.11.1.2 |
ISO 27001:2013 A.11.1.2 |
Physical And Environmental Security |
Physical entry controls |
Shared |
n/a |
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. |
link |
9 |
|
mp.if.1 Separate areas with access control |
mp.if.1 Separate areas with access control |
404 not found |
|
|
|
n/a |
n/a |
|
23 |
|
mp.if.2 Identification of persons |
mp.if.2 Identification of persons |
404 not found |
|
|
|
n/a |
n/a |
|
13 |
|
mp.if.7 Recording of entries and exits of equipment |
mp.if.7 Recording of entries and exits of equipment |
404 not found |
|
|
|
n/a |
n/a |
|
12 |
|
mp.si.4 Transport |
mp.si.4 Transport |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
| NIST_SP_800-171_R2_3 |
.7.6 |
NIST_SP_800-171_R2_3.7.6 |
NIST SP 800-171 R2 3.7.6 |
Maintenance |
Supervise the maintenance activities of maintenance personnel without required access authorization. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to individuals who are performing hardware or software maintenance on organizational systems, while 3.10.1 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, consultants, and systems integrators, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Organizations may choose to issue temporary credentials to these individuals based on organizational risk assessments. Temporary credentials may be for one-time use or for very limited time periods. |
link |
3 |
| NIST_SP_800-53_R4 |
MA-5 |
NIST_SP_800-53_R4_MA-5 |
NIST SP 800-53 Rev. 4 MA-5 |
Maintenance |
Maintenance Personnel |
Shared |
n/a |
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
Supplemental Guidance: This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3.
References: None. |
link |
3 |
| NIST_SP_800-53_R5 |
MA-5 |
NIST_SP_800-53_R5_MA-5 |
NIST SP 800-53 Rev. 5 MA-5 |
Maintenance |
Maintenance Personnel |
Shared |
n/a |
a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;
b. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and
c. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
link |
3 |