NIST 800-53 REV 5 • MAINTENANCE

MA-3(3)Prevent Unauthorized Removal

Prevent the removal of maintenance equipment containing organizational information by: Verifying that there is no organizational information contained on the equipment; Sanitizing or destroying the equipment; Retaining the equipment within the facility; or Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.

Practitioner Notes

Maintenance equipment that has been connected to your systems may contain organizational data. You need to prevent that equipment from leaving with your data still on it.

Example 1: Before a vendor technician leaves your facility, have your security team verify that no organizational data remains on their tools or laptops. Check any files created during the session, clear temp files, and document the verification in the maintenance record.

Example 2: Implement a sign-in/sign-out process for maintenance equipment at your facility entrance. When equipment leaves, a supervisor verifies that storage media has been sanitized. Use a checklist: was equipment connected to the network? Did it access any data stores? Were temp files cleared?

More Maintenance Controls

MA-1 Policy and Procedures MA-2 Controlled Maintenance MA-2(1) Record Content MA-2(2) Automated Maintenance Activities