3.7.2—Maintenance - Basic
>Control Description
>Discussion
This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems.
Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern effective maintenance tool control?
- •What procedures approve and track maintenance tools?
- •Who authorizes use of specific maintenance tools?
- •How are remote maintenance tools controlled?
- •What governance ensures maintenance tools don't introduce risk?
Technical Implementation:
- •What technical controls restrict maintenance tool usage?
- •How do you monitor and log maintenance tool activities?
- •What mechanisms prevent unauthorized maintenance tool installation?
- •How are remote maintenance tools secured?
- •What scanning detects unauthorized maintenance utilities?
Evidence & Documentation:
- •Can you provide a list of approved maintenance tools?
- •What logs track maintenance tool usage?
- •Can you demonstrate maintenance tool access restrictions?
- •What evidence shows maintenance tool controls are effective?
- •What audit findings verify maintenance tool compliance?
Ask AI
Configure your API key to use AI features.