Maintenance (MA)

Key Security and Privacy Measures 

The consistent and effective implementation of maintenance activities in the organization is the focus of this informational guide. It provides processes and procedures to ensure these activities are secure, authorized and well-documented. 

Controlled Maintenance 

All maintenance is pre-authorized, scheduled and logged. The System Owner must authorize the removal of the information system or components from the CMS facility for any off-site maintenance. Prior to removal, the system must be sanitized using CMS-approved methods. 

CMS systems generate audit logs for all maintenance activities which must include: 

• Date and time of maintenance
• Name of individuals or group performing the maintenance
• Name of the authorized escort (if necessary)
• A description of the maintenance performed
• A list of the information system components/equipment removed and/or replaced 

Automated Maintenance Activities 

For high baseline information systems, CMS uses automated mechanisms to manage and control system maintenance programs and activities which ensure the generation of timely, accurate, complete and consistent maintenance records. 

Maintenance Tools 

CMS ensures all tools used for system maintenance (hardware or software) are vetted, approved and secure. They are scanned for malware as CMS enforces restrictions on external tools unless explicitly approved. Upon completion of maintenance, the tools used for the diagnostic or repair activities are re-checked and sanitized to ensure no CMS information is retained on them. 

CMS reviews previously approved system maintenance tools monthly (every 30 days). 

Inspect Tools 

All maintenance tools brought into CMS facilities are inspected for unauthorized modifications. Any tools showing signs of tampering must be reported in accordance with CMS’ incident handling procedures. 

Inspect Media 

All diagnostic and test media are scanned for malicious code before use. Infected media must be reported in line with CMS’ incident handling procedures. 

Prevent Unauthorized Removal 

Upon completion of maintenance, CMS prevents the unauthorized removal of maintenance equipment containing CMS information by: 

• Verifying there is no CMS information contained on the equipment
• Sanitizing or destroying the equipment using CMS approved techniques/methods
• Securely retaining the equipment within the CMS facility
• Obtaining exemption from the CMS CIO, or his/her designated representative, explicitly authorizing removal of the equipment from the CMS facility. 

Non-local (Remote) Maintenance 

Non-local maintenance involves remote access via internal or external networks (the internet), while local maintenance is performed onsite without network communication. 

Non-local maintenance requires written authorization from the CMS CIO. All remote sessions must use strong authentication methods aligned with IA-2 requirements and are monitored, controlled, logged, and terminated upon completion. The use of maintenance tools must follow CMS policy. 

Comparable Security and Sanitization 

CMS requires that non-local maintenance and diagnostic services be conducted using systems and tools with security controls equal to, or stronger than those of the system being serviced. Before remote maintenance, the component must be removed and sanitized. After service, it must be inspected and sanitized again for malicious software before reconnection to CMS system or network. 

Maintenance Personnel 

This applies to individuals performing hardware or software maintenance on CMS information systems. While PE-2 (Physical Access Authorizations) covers access to physical areas, the focus here is on authorized maintenance personnel. Only cleared and authorized personnel are allowed to preform maintenance. 

For systems handling PII/PHI, if the maintenance personnel are contractors, CMS ensures they are contractually bound by the Privacy Act of 1974. 

• The System Developer and Maintainer performs approved software maintenance.
• The Government Task Lead (GTL) maintains a list of personnel authorized for hardware maintenance.
• Hardware maintenance personnel must have authorized physical access to the CMS data center. 

Additional access guidance is available in the Physical and Environmental Protection Informational Guide. 

Individuals Without Appropriate Access 

CMS prevents visual or electronic access to classified, Controlled Unclassified Information (CUI), or other sensitive data by individuals without proper clearance or U.S. citizenship. 

When unlisted personnel, such as vendors or consultants, require unplanned privileged access for maintenance, they must be escorted and supervised by an authorized CMS employee or qualified contractor with technical expertise to oversee the activity. 

Before maintenance by personnel without required clearances or approvals, all volatile storage is sanitized, and nonvolatile media is removed or disconnected and secured. 

If a component cannot be sanitized or removed, alternate controls defined in the System Security and Privacy Plan (SSPP) must be implemented. 

Timely Maintenance 

CMS identifies key system components that pose increased risk if not operational, as defined in the System Security and Privacy Plan (SSPP). Maintenance support and spare parts for these components must be available within the Recovery Time Objective (RTO) specified in the system Contingency Plan. 

CMS ensures timely maintenance through 24/7 service agreements and/or on-site spare parts. Cloud Service Providers (CSPs) must define and document a list of security-critical components, which must be approved by the Federal Risk and Authorization Management Program (FedRAMP) Board. The required maintenance timeframes are based on the Contingency Plan and Business Impact Analysis (BIA) which are also approved by the FedRAMP Board. 

CMS implements a patch and maintenance schedule for all systems based on CMS’ vulnerability management process. These schedules are integrated into the Configuration Management Plan and Continuous Monitoring strategy. Critical patches are applied within fifteen (15) days, while all other patches must be applied within thirty (30) days, in line with CMS policy.  

Summary of Maintenance at CMS 

CMS establishes clear policy and procedures that guide its maintenance practices. In ensuring that all maintenance activities are authorized, logged and secure, CMS enhances the needed regular review and audit of tools, personnel and procedures to align with federal security standards.