3.7.2 has a weight of -5 points

(Maintenance Family) 2/6

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Video

Example of Sysytem Security Plan (SSP):

System Security Plan (SSP) – Control Identifier: 3.7.2

Control Title: Controls on System Maintenance Tools and Personnel

Control Description:

This control addresses security-related issues with maintenance tools used for diagnostic and repair actions on organizational systems that process, store, or transmit Controlled Unclassified Information (CUI). It emphasizes the need for controls on tools, techniques, mechanisms, and personnel involved in system maintenance to prevent unauthorized or malicious usage.

Policy Statement:

Our organization is committed to implementing controls on the tools, techniques, mechanisms, and personnel involved in system maintenance, with a specific focus on those used for diagnostic and repair actions on systems processing, storing, or transmitting CUI.

Scope of Controls:

These controls apply to maintenance tools used for diagnostic and repair actions on organizational systems containing CUI, including both hardware and software tools, techniques, and mechanisms.

Approving, Controlling, and Monitoring Tools:

  • Maintenance tools are subject to approval, control, and monitoring to prevent unauthorized or malicious usage.
  • The organization determines specific controls based on risk assessments and security requirements.

Security Risks with Maintenance Tools:

Maintenance tools are recognized as potential vectors for malicious code, either intentionally or unintentionally, into organizational systems. To mitigate these risks and maintain system integrity and confidentiality, controls are established for their secure usage.

Personnel Access Controls:

  • Access to maintenance tools is limited to authorized personnel possessing the necessary skills and training.
  • Access is granted based on job roles and responsibilities and is regularly reviewed and updated.

Tool Inventory and Accountability:

  • An inventory of maintenance tools, including hardware, software, and firmware items, is maintained.
  • Accountability for tool possession and usage is ensured through periodic audits.

Secure Use of Maintenance Tools:

  • Guidelines and procedures for secure tool usage are established to ensure legitimate diagnostic and repair purposes.
  • Controls may include secure storage, physical access restrictions, and logging of tool usage.

Monitoring and Incident Reporting:

  • Tool usage is continuously monitored for unusual or unauthorized activities.
  • Incidents related to tool usage are promptly reported and investigated to prevent further damage.

Training and Awareness:

  • Authorized personnel receive specific training on proper tool usage and security implications.
  • Regular security awareness training emphasizes the risks associated with maintenance tools and responsible tool usage.

Continuous Improvement:

  • The organization regularly reviews and updates controls on maintenance tools to adapt to evolving threats and technology, ensuring ongoing effectiveness.

Example of Plan of Action and Milestones ( POA & M):

Plan of Action and Milestones (POA&M) – Control Identifier: 3.7.2

Control Title: Controls on System Maintenance Tools and Personnel

Control Description:

This control addresses the need for controls on maintenance tools, techniques, mechanisms, and personnel involved in system maintenance, specifically those used for diagnostic and repair actions on systems processing, storing, or transmitting Controlled Unclassified Information (CUI). The goal is to prevent unauthorized or malicious usage of maintenance tools.

POA&M:

1. Review and Update Existing Maintenance Tool Policies and Procedures

  • Milestone 1: Within 45 days, initiate a review of existing maintenance tool policies and procedures to ensure they align with the new control requirements.

  • Milestone 2: Within 75 days, update the policies and procedures to incorporate the control requirements and document the revised documents.

2. Identification and Classification of Maintenance Tools

  • Milestone 3: Within 60 days, identify all maintenance tools, including hardware and software, used within the organization.

  • Milestone 4: Within 90 days, classify maintenance tools based on their importance, impact, and potential risk to CUI.

3. Access Control Implementation

  • Milestone 5: Within 90 days, implement access controls for maintenance tools, limiting access to authorized personnel with appropriate skills and training.

  • Milestone 6: Within 120 days, ensure that access is granted based on job roles and responsibilities and is subject to regular reviews and updates.

4. Inventory and Accountability

  • Milestone 7: Within 120 days, establish an inventory of all maintenance tools, including hardware, software, and firmware items.

  • Milestone 8: Within 150 days, conduct the first periodic audit to verify the accuracy of the tool inventory.

5. Secure Use of Maintenance Tools

  • Milestone 9: Within 150 days, implement guidelines and procedures for the secure use of maintenance tools, including secure storage, physical access restrictions, and logging of tool usage.

6. Monitoring and Incident Reporting

  • Milestone 10: Within 180 days, implement continuous monitoring of maintenance tool usage for unusual or unauthorized activities.

  • Milestone 11: Within 210 days, establish an incident reporting mechanism for any tool-related incidents, and ensure they are promptly reported and investigated.

7. Training and Awareness

  • Milestone 12: Within 240 days, provide specific training to authorized personnel on proper maintenance tool usage and security implications.

  • Milestone 13: Within 270 days, incorporate information on maintenance tool controls into regular security awareness training programs.

8. Ongoing Reviews and Updates

  • Milestone 14: Ongoing, conduct regular reviews of maintenance tool controls and update them as needed to adapt to changing threats and technology.

9. Documentation and Reporting

  • Milestone 15: Ongoing, maintain detailed records of maintenance tool-related activities and security controls for reporting and auditing purposes.

10. Policy Review

  • Milestone 16: Within 360 days, review the organization’s System Security Plan (SSP) to ensure it accurately reflects the updated maintenance tool controls.

 

RELEVANT INFORMATION:

This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware,software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.