zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-02 16:02:15 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/docs/compliance/dist/system-security-plans/ato/ma-5.md
Logan McDonald 8d493d2e44
Document things cloud.gov CRM fully supports (#122) 
* document things cloud.gov crm fully supports

* run make assemble
2022-10-13 10:36:44 -04:00

2.8 KiB
Raw Blame History

implementation-status control-origination
c-implemented
c-inherited-cloud-gov

ma-5 - [catalog] Maintenance Personnel

Control Statement

  • [a] Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;

  • [b] Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

  • [c] Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

Control guidance

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

Control assessment-objective

a process for maintenance personnel authorization is established; a list of authorized maintenance organizations or personnel is maintained; non-escorted personnel performing maintenance on the system possess the required access authorizations; organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.

What is the solution and how is it implemented?

Implementation a.

Customer applications fully inherit this control from cloud.gov.

Implementation b.

Customer applications fully inherit this control from cloud.gov.

Implementation c.

Customer applications fully inherit this control from cloud.gov.