NIST 800-53 REV 5 • MAINTENANCE

MA-4(6)Cryptographic Protection

Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: {{ insert: param, ma-04.06_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Failure to protect nonlocal maintenance and diagnostic communications can result in unauthorized individuals gaining access to organizational information. Unauthorized access during remote maintenance sessions can result in a variety of hostile actions, including malicious code insertion, unauthorized changes to system parameters, and exfiltration of organizational information. Such actions can result in the loss or degradation of mission or business capabilities.

Practitioner Notes

All remote maintenance communications must be encrypted to prevent eavesdropping and tampering. Plaintext remote access tools are not acceptable for system maintenance.

Example 1: Require all remote maintenance connections to use encrypted protocols: SSH instead of Telnet, HTTPS instead of HTTP, RDP with Network Level Authentication over a VPN. Block unencrypted management protocols at the firewall level.

Example 2: Configure your VPN concentrator to use TLS 1.2 or higher with FIPS-validated cryptographic modules. If using Azure, enable Azure Bastion which provides encrypted RDP and SSH sessions through the Azure portal without exposing management ports to the internet.

More Maintenance Controls

MA-1 Policy and Procedures MA-2 Controlled Maintenance MA-2(1) Record Content MA-2(2) Automated Maintenance Activities