Introduction

This Handbook outlines procedures to help CMS staff and contractors implement the Maintenance family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 and tailored to the CMS environment in the CMS Acceptable Risk Safeguards (ARS). For more guidance on how to implement CMS policies and standards across many cybersecurity topics, see the CMS Security and Privacy Handbooks. 

RMH Chapter 09 provides processes and procedures to assist with the consistent implementation of the MA family of controls for any system that stores, processes, or transmits CMS information on behalf of CMS. This chapter identifies the policies, minimum standards, and procedures for the effective implementation of selected security and privacy controls and control enhancements in the MA family.

Maintenance controls

Controlled Maintenance (MA-2)

This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers.

The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations must consider supply chain issues associated with replacement components for information systems

Guidance for systems processing, storing, or transmitting PHI:

HIPAA requires organizations to apply reasonable and appropriate safeguards for the protection of PHI, including implementing policies and procedures to document repairs and modifications to the facility which are related to security.

The table below outlines the CMS defined parameters for MA-2.

Table 4: CMS Defined Parameters-Control MA-2

CMS reviews and updates the baseline configuration5 of its information systems at a regularly defined frequency, when special circumstances arise (e.g., critical security patches), or when an information system component is installed or upgraded. Automation assists in documenting changes and ensures the proper workflow. CMS uses automated means to document system changes for submission and to notify the authorizing personnel, defined in the System Security and Privacy Plan (SSPP), who are designated to approve changes, whenever changes are proposed. Automating these processes also increases the traceability of changes for many systems at once.

CMS addresses the information security aspects of the information system maintenance program and applies it to hardware and software maintenance. Information necessary for creating effective maintenance records includes, at a minimum, the following information:

• Date and time of maintenance;
• Name of individuals or group performing the maintenance;
• Name of the authorized escort (if necessary);
• A description of the maintenance performed;
• A list of the information system components/equipment removed and/or replaced.

NOTE: The removal of the information system or components from CMS facilities requires the explicit approval from the Business Owner (BO). Prior to off-site maintenance or repairs, the equipment is sanitized, using approved CMS sanitization methods, for the removal of information from associated media.

Maintenance Tools (MA-3)

This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and organizational information systems. Maintenance tools can include hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance yet are considered an integral part of the system. CMS approves, controls, and monitors information system maintenance tools used to repair or conduct diagnostics on information systems and their components. After completion of the maintenance, all maintenance equipment, with the capability of retaining information, is checked to ensure that information is not saved on the equipment and that the equipment is appropriately sanitized, using approved CMS sanitization methods, before the release from the CMS facility.

Inspect Tools (MA-3(1))

This control enhancement provides that maintenance tools, transported by maintenance personnel into facilities, are inspected for unauthorized modifications. CMS inspects maintenance tools for obvious signs of improper or unauthorized modifications. Tools that are found to be modified in an improper or unauthorized manner must be reported per the CMS incident handling procedure that is located in RMH Chapter 08 Incident Response.

Inspect Media (MA-3(2))

Inspecting media that contains diagnostic and test programs for malicious code before the media are used in the information system is the purpose of this control enhancement.

CMS checks and scans all diagnostic tools and test programs for malicious code before being used in the information system. Media that are found to contain malicious code must be reported per the CMS incident handling procedure that is located in RMH Chapter 08 Incident Response.

Prevent Unauthorized Removal (MA-3(3))

Preventing the unauthorized removal of maintenance equipment containing organizational information is the purpose of this control enhancement. The table below outlines the CMS defined parameters for MA-3(3).

Table 5: CMS Defined Parameters-Control MA-3(3)

CMS prevents the unauthorized removal of maintenance equipment containing organizational information by:

• Verifying that CMS information is not contained on the equipment when the equipment has the capability of retaining information;
• Sanitizing or destroying the equipment, using CMS approved sanitization or destruction techniques/methods
• Retaining or storing the equipment securely within the facility;
• Obtaining a written exemption from the CMS Chief Information Officer (CIO), or his/her designated representative, explicitly authorizing removal of the equipment from the facility.

Nonlocal Maintenance (MA-4)

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in Identification and Authentication (Organizational Users) (IA-2).

Written authorization from the CMS CIO is required for nonlocal or remote maintenance and diagnostic activities to be performed on an information system. CMS monitors and controls nonlocal maintenance and diagnostic activities and allows the use of maintenance and diagnostic tools in accordance with organizational policy. Appropriate identification and authentication techniques are employed in the establishment of remote sessions in accordance with IA-2, and all such sessions are terminated after the completion of the maintenance.

Auditing and Review (MA-4(1))

The purpose of this control enhancement is to ensure that auditing and reviews of nonlocal maintenance and diagnostic sessions are performed.

Table 6: CMS Defined Parameters-Control MA-4(1)

CMS audits nonlocal maintenance and diagnostic sessions using available audit events. Maintenance and diagnostic records consist of audit events that are a defined selection based on all events for which the information system is capable of generating records. CMS reviews these records on a continuous basis. 

Document Nonlocal Maintenance (MA-4(2)) 

Information systems that require nonlocal maintenance must document the policies and procedures used for establishing and using nonlocal maintenance activities to include testing and diagnostic connection. CMS requires that maintenance activity, including the authentication mechanism for granting remote access and the capture of maintenance information, is recorded in the applicable SSPP. 

Comparable Security/Sanitization (MA-4(3)) 

Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. CMS requires that nonlocal maintenance and diagnostic services are performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced. Prior to nonlocal maintenance or diagnostic services, CMS requires the removal of the component to be serviced from the information system and sanitization of information from the component. After the service is performed and before reconnecting the component to the information system, CMS provides for inspection and sanitization of the component for potentially malicious software. 

Maintenance Personnel (MA-5) 

This control applies to individuals performing hardware or software maintenance on organizational information systems, while Physical Access Authorizations (PE-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Guidance for systems processing, storing, or transmitting PII (to include PHI): If maintenance personnel are contractors, then the organizations personnel responsible for contracting (such as the contracting officer, contracting officer’s representative, or contracting officer’s technical representative or the program manager must ensure that contractors having access to records (i.e., files or data) from a system of records are contractually bound to be covered by the Privacy Act of 1974. CMS maintains documentation of authorized maintenance personnel that perform hardware or software maintenance on information systems. The System Developer and Maintainer implements approved software maintenance while the Government Task Lead (GTL) of the data center maintains a list of authorized maintenance personnel that perform hardware maintenance. Maintenance personnel performing hardware maintenance are required to have authorized physical access to the data center. RMH Chapter 11 Physical and Environmental Protection provides additional information on requesting physical access to controlled areas. 

Individuals Without Appropriate Access (MA-5(1)) 

This control enhancement denies visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems to individuals who do not possess the required level of security clearances or who are not U.S. citizens. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to CMS information systems when required to conduct maintenance activities with little or no notice. Maintenance personnel without the necessary access authorizations, clearances or formal approvals are properly escorted and supervised by an authorized CMS employee or an authorized contractor with technical competence of supervising individuals relating to the maintenance being performed on the information system. 

Timely Maintenance (MA-6) 

Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place. 

The table below outlines the CMS-defined parameters for MA-6. 

Table 7: CMS Defined Parameters-Control MA-6 

CMS requires the alignment of hardware maintenance and support services with the information system’s recovery time objective (RTO). Timely maintenance requirements are met through service agreements that provide 24/7 coverage and/or through on-site storage of replacement parts. CSPs must define a list of security-critical information system components and/or key information technology components. The list of components is approved and accepted by the Joint Authorization Board (JAB). The time period to obtain maintenance and spare parts is defined in accordance with the contingency plan for the information system and business impact analysis. The time period is approved and accepted by the JAB.

Applicable Laws and Guidance 

The Applicable Laws and Guidance appendix provides references to both authoritative and guidance documentation supporting this document.

Statutes 

Health Insurance Portability and Accountability Act of 1996 (HIPAA) 

Federal Directives and Policies 

FedRAMP Rev. 4 Baseline 

NIST Guidance and Federal Information Processing Standards FIPS Pub: 140-2, 197, 201 

FIPS-140-2 Security Requirements for Cryptographic Modules 

FIPS-197, Advanced Encryption Standard 

FIPS-201-2, Personal Identity Verification (PIV) for Federal Employees and Contractors 

NIST SP 800-88, Guidelines for Media Sanitization 

NIST SP 800 100, Information Security Handbook: A Guide for Managers 

NIST SP 800 12 rev.1 An Introduction to Information Security