MA-2—Controlled Maintenance
>Control Description
Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;
Require that ⚙organization-defined personnel or roles explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;
Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ⚙organization-defined information;
Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and
Include the following information in organizational maintenance records: ⚙organization-defined information.
>FedRAMP Baseline Requirements
No FedRAMP-specific parameter values or requirements for this baseline.
>Discussion
Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced.
Organizations consider supply chain-related risks associated with replacement components for systems.
>Cross-Framework Mappings
>Programmatic Queries
Related Services
CLI Commands
aws ssm describe-maintenance-windowsaws rds describe-db-instances --query 'DBInstances[*].{Id:DBInstanceIdentifier,Window:PreferredMaintenanceWindow}'aws rds describe-pending-maintenance-actionsaws elasticache describe-cache-clusters --query 'CacheClusters[*].{Id:CacheClusterId,Window:PreferredMaintenanceWindow}'>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of MA-2 (Controlled Maintenance)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring MA-2?
- •How frequently is the MA-2 policy reviewed and updated, and what triggers policy changes?
- •What governance structure ensures MA-2 requirements are consistently applied across all systems?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce MA-2 requirements.
- •What automated tools, systems, or technologies are deployed to implement MA-2?
- •How is MA-2 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce MA-2 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of MA-2?
- •What audit logs, records, reports, or monitoring data validate MA-2 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of MA-2 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate MA-2 compliance?
Ask AI
Configure your API key to use AI features.