CMMC Weekly Series #7
Posted on May 15, 2020 by Theodore Wernet, CISSP
Maintenance (MA)
This Cybersecurity Maturity Model Certification (CMMC) domain, with only 6 practices in levels 2 and 3, is one of the smaller domains. Many organizations already have some form of a maintenance plan/process in place to meet the needs of the domain, so you might only need to augment your current activities to become compliant. Like the other CMMC domains, you will want to start with a policy that details how you handle each of the practices contained in the maintenance domain.
Let’s dive into the Maintenance practice and take a look…
MA.2.111 Perform maintenance on organizational systems. When we usually think of maintenance, we think patches and perhaps the occasional upgrade or replacement of a degraded/broken piece of hardware. While these are the very heart and soul of maintenance, we need to take this a step further. We should have a maintenance plan that supports a more structured approach. This would include a maintenance schedule for recurring tasks (monthly patches, etc.), but also for maintenance that will occur out of the standard schedule (such as a failed drive on a server). Lastly, we need to track how and when maintenance is performed. It is best to integrate this process with your Configuration Management process and utilize a Change Request/Change Complete tracking system.
MA.2.112 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. Depending on the size and function of your organization, the number and types of system maintenance tools you use might vary greatly. For smaller organizations it may be a simple laptop with a few standard tools (Nessus, packet capture/sniffer, etc.), while larger organizations may have a complete arsenal at their disposal. In either case, you will need a process in place to manage these tools, how they are used and who can use them. For example, you want to verify any plug-in update with both a virus scan and a vendor checksum before they are imported into the tool. You also want to define when the tool can be used. A system scan at two in the afternoon might cause performance problems on the network. You also want to control who can use the tool. A junior administrator may not need the rights to hit the remediate button on a given application.
MA.2.113 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. This practice is straightforward. If you are going to allow for remote maintenance sessions, you must have multifactor authentication in place. If this practice would be the sole reason for your organization implementing MFA, it might make more sense to implement a policy that does not allow for remote system maintenance.
MA.2.114 Supervise the maintenance activities of personnel without required access authorization. For most organizations, at some point you must have maintenance performed on a system that cannot be completed by people inside your organization. This could be a motherboard replacement on a laptop or the servicing of your HVAC system in your server room. When this type of maintenance is performed, you should have a process in place on how it is performed. Typically, this would include the maintenance company providing the maintenance person’s name and approximate time of arrival. You should have a visitor log that records the maintenance persons name, maintenance to be performed and sign-in/sign-out times. You also need to escort the maintenance person the entire time they are on premise. Ideally, the escort should be someone that understands the maintenance work being done.
MA.3.115 Ensure equipment removed for off-site maintenance is sanitized of any CUI. Whenever equipment which houses CUI is removed from your facility, it needs to be sanitized! To complete this correctly you should have a Certificate of Volatility (COV)/Statement of Volatility (SOV) from the vendor to identify what components need to be sanitized. This may only require a power cycle or removal of the battery. But for items like hard-disk drives and solid-state drives this becomes more labor-intensive. I would recommend utilizing the DoD 5220.22-M Cleaning and Sanitization Matrix to identify the best methods for a given component.
MA.3.116 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. This practice is also straightforward. Any media you bring into your organization – whether it is going into a CUI system or not – should always be scanned for malicious code before it is introduced into your environment. You should also verify the checksum from the vendor to assist in determining media integrity.
