OVERVIEW (MA-1)

This policy addresses the requirements set forth to implement the family of Maintenance controls.

All equipment is hosted in FedRAMP accredited in data center (Microsoft Azure Government Cloud). All physical servers, storage devices, network equipment and other infrastructure is owned and maintained by hosting partner.

CONTROLLED MAINTENANCE (MA-2)

As per FedRAMP, hosting partner must:

  1. Schedule, perform, document, and review records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements
  2. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location
  3. Require that personnel explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs
  4. Sanitize equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs
  5. Check all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions
  6. Include maintenance-related information in organizational maintenance records.

NONLOCAL MAINTENANCE (MA-4)

As per FedRAMP, hosting partner must:

  1. Approve and monitor nonlocal maintenance and diagnostic activities
  2. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system
  3. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions
  4. Maintain records for nonlocal maintenance and diagnostic activities
  5. Terminate session and network connections when nonlocal maintenance is completed.

MAINTENANCE PERSONNEL (MA-5)

As per FedRAMP, hosting partner must:

  1. Establish a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel
  2. Ensure that non-escorted personnel performing maintenance on the information system have required access authorizations
  3. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

AUDIT

  • Annual Hosting Partner Review (PE001) to ensure FedRAMP accreditation (e.g. maintenance is being performed as per this policy)
  • Annual Management Review (MR002) includes review of this policy.