zydronium/manage.get.gov

mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-04 17:01:56 +02:00

Document things cloud.gov CRM fully supports (#122 )

* document things cloud.gov crm fully supports

* run make assemble

2022-10-13 10:36:44 -04:00

3.3 KiB

Raw Blame History

implementation-status

control-origination

c-implemented

c-inherited-cloud-gov

ma-4 - [catalog] Nonlocal Maintenance

Control Statement

[a] Approve and monitor nonlocal maintenance and diagnostic activities;
[b] Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;
[c] Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;
[d] Maintain records for nonlocal maintenance and diagnostic activities; and
[e] Terminate session and network connections when nonlocal maintenance is completed.

Control guidance

Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2 . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.

Control assessment-objective

nonlocal maintenance and diagnostic activities are approved; nonlocal maintenance and diagnostic activities are monitored; the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy; the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system; strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions; records for nonlocal maintenance and diagnostic activities are maintained; session connections are terminated when nonlocal maintenance is completed; network connections are terminated when nonlocal maintenance is completed.