MA-04 Nonlocal Maintenance
a. Approve and monitor nonlocal maintenance and diagnostic activities;
b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;
c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintain records for nonlocal maintenance and diagnostic activities; and
e. Terminate session and network connections when nonlocal maintenance is completed.
Baselines
- L
- M
- H
- P
Guidance
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2 . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators.
References 5
- FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
- FIPS 197 National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197.
- FIPS 201-2 National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2.
- SP 800-63-3 Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020.
- SP 800-88 Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1.
Control Enhancements 7
- MA-04(01) Logging and Review L M H P
- MA-04(02) Document Nonlocal Maintenance
- MA-04(03) Comparable Security and Sanitization L M H P
- MA-04(04) Authentication and Separation of Maintenance Sessions L M H P
- MA-04(05) Approvals and Notifications L M H P
- MA-04(06) Cryptographic Protection L M H P
- MA-04(07) Disconnect Verification L M H P
Related controls 15
- AC-02 Account Management L M H P
- AC-03 Access Enforcement L M H P
- AC-06 Least Privilege L M H P
- AC-17 Remote Access L M H P
- AU-02 Event Logging L M H P
- AU-03 Content of Audit Records L M H P
- IA-02 Identification and Authentication (Organizational Users) L M H P
- IA-04 Identifier Management L M H P
- IA-05 Authenticator Management L M H P
- IA-08 Identification and Authentication (Non-organizational Users) L M H P
- MA-02 Controlled Maintenance L M H P
- MA-05 Maintenance Personnel L M H P
- PL-02 System Security and Privacy Plans L M H P
- SC-07 Boundary Protection L M H P
- SC-10 Network Disconnect L M H P