NIST 800-53 REV 5 • MAINTENANCE

MA-4(3)Comparable Security and Sanitization

Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced.

Practitioner Notes

If remote maintenance is performed from an external system, that system needs to have security controls comparable to what you would require internally. Alternatively, you sanitize the affected component before reconnecting it to your network.

Example 1: Require vendors performing remote maintenance to complete a security questionnaire confirming their maintenance systems meet your standards: current patches, endpoint protection, encrypted connections, MFA. Include this requirement in your vendor contracts.

Example 2: After a vendor completes remote maintenance on a system, run a STIG compliance scan (using SCAP tools or STIG Viewer) to verify the system still meets your security baseline. Address any new findings before returning the system to production.

More Maintenance Controls

MA-1 Policy and Procedures MA-2 Controlled Maintenance MA-2(1) Record Content MA-2(2) Automated Maintenance Activities