3.7.3 has a weight of -1 points

(Maintenance Family) 3/6

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

Video

Example of Sysytem Security Plan (SSP):

    System Security Plan (SSP) – Control Identifier: 3.7.3

    Control Title: Equipment Sanitization for Off-Site Maintenance

    Control Description:

    Control 3.7.3 focuses on ensuring that equipment containing Controlled Unclassified Information (CUI) is properly sanitized when removed for off-site maintenance. This control addresses the security considerations associated with maintenance activities conducted by local or non-local entities, including contractors, warranty services, or in-house software maintenance agreements. The control requires adherence to guidelines provided in [SP 800-88] for media sanitization.

    Policy Statement:

    Our organization is dedicated to safeguarding Controlled Unclassified Information (CUI) throughout its lifecycle, including during off-site maintenance activities. This System Security Plan (SSP) outlines our commitment to ensuring that all equipment removed for off-site maintenance is appropriately sanitized to prevent unauthorized access or disclosure of CUI.

    Scope of Controls:

    These controls apply to all equipment that may contain CUI and requires off-site maintenance, whether the maintenance is conducted by internal or external parties. Equipment includes but is not limited to servers, workstations, storage devices, and other hardware or software components.

    Sanitization Process:

    To ensure the secure handling of CUI during off-site maintenance, the following process will be followed:

    1. Identification of CUI-Containing Equipment: All equipment containing or potentially containing CUI must be identified before removal for off-site maintenance.
    2. Data Destruction Policy: Equipment identified as containing CUI must undergo sanitization following the organization’s Data Destruction Policy. This policy includes methods such as secure wiping or physical destruction.
    3. Sanitization Prior to Removal: CUI-containing equipment must be sanitized in accordance with the Data Destruction Policy before it is removed from the secure facility. This may involve securely wiping data, removing and retaining storage media, or taking other approved measures to prevent data exposure.
    4. Documentation: Records of the sanitization process, including dates, methods used, and personnel involved, must be maintained and included in the equipment’s maintenance documentation.

    Off-Site Maintenance Security Measures:

    When CUI-containing equipment is removed for off-site maintenance, the following security measures will be implemented:

    1. Authorization and Waivers: External maintenance providers, including contractors and warranty services, must be authorized to perform maintenance on equipment containing CUI. They must sign waivers acknowledging their understanding of the presence of CUI and their commitment to not make unauthorized copies or access CUI.
    2. Escorted Access: Personnel authorized to handle equipment containing CUI during off-site maintenance must be escorted by an organization-approved IT administrator or designated personnel at all times.

    Training and Awareness:

    All employees and authorized personnel involved in the off-site maintenance process will receive training on the organization’s Data Destruction Policy, equipment sanitization procedures, and the handling of CUI during maintenance activities. Regular security awareness training will emphasize the importance of safeguarding CUI during off-site maintenance.

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Action and Milestones (POA&M) – Control Identifier: 3.7.3

    Control Title: Equipment Sanitization for Off-Site Maintenance

    Control Description: Control 3.7.3 focuses on ensuring that equipment containing Controlled Unclassified Information (CUI) is properly sanitized when removed for off-site maintenance. This control addresses the security considerations associated with maintenance activities conducted by local or non-local entities, including contractors, warranty services, or in-house software maintenance agreements. The control requires adherence to guidelines provided in [SP 800-88] for media sanitization.

    POA&M ID: [Unique Identifier] POA&M Creation Date: [Date] POA&M Last Update Date: [Date]

    Responsible Individual/Team: [Name/Team Responsible for Implementation] Target Completion Date: [Date]

    Milestone 1: Identification of CUI-Containing Equipment

    • Description: Identify all equipment containing or potentially containing CUI that may require off-site maintenance.
    • Actions:
      • Review inventory records and asset management systems to identify CUI-containing equipment.
      • Conduct a physical inspection of equipment to ensure accurate identification.
    • Status: [In Progress/Completed/Not Started]

    Milestone 2: Data Destruction Policy Review

    • Description: Review and update the organization’s Data Destruction Policy to ensure it aligns with the requirements of Control 3.7.3.
    • Actions:
      • Assess the existing policy and identify necessary revisions.
      • Consult with legal and compliance teams to ensure policy compliance.
    • Status: [In Progress/Completed/Not Started]

    Milestone 3: Sanitization Process Implementation

    • Description: Implement the equipment sanitization process as outlined in Control 3.7.3.
    • Actions:
      • Train IT personnel and authorized personnel on the proper sanitization procedures.
      • Develop procedures for securely wiping data, removing and retaining storage media, or other approved measures.
    • Status: [In Progress/Completed/Not Started]

    Milestone 4: Documentation and Record Keeping

    • Description: Establish a system for maintaining records of the sanitization process, including dates, methods used, and personnel involved.
    • Actions:
      • Design and implement a record-keeping system compliant with Control 3.7.3 requirements.
      • Ensure documentation is integrated into the equipment’s maintenance records.
    • Status: [In Progress/Completed/Not Started]

    Milestone 5: Off-Site Maintenance Security Measures Implementation

    • Description: Implement security measures for off-site maintenance of CUI-containing equipment.
    • Actions:
      • Develop an authorization and waiver process for external maintenance providers.
      • Train IT administrators or designated personnel responsible for escorting maintenance personnel.
    • Status: [In Progress/Completed/Not Started]

    Milestone 6: Training and Awareness

    • Description: Provide training to all employees and authorized personnel involved in off-site maintenance activities.
    • Actions:
      • Develop training materials related to the Data Destruction Policy, equipment sanitization procedures, and CUI handling during maintenance.
      • Schedule and conduct training sessions.
    • Status: [In Progress/Completed/Not Started]

    Milestone 7: Ongoing Monitoring and Compliance

    • Description: Establish a system for ongoing monitoring of compliance with Control 3.7.3 and related policies.
    • Actions:
      • Conduct regular audits and reviews of the equipment sanitization process.
      • Ensure that all off-site maintenance activities adhere to the established security measures.
    • Status: [In Progress/Completed/Not Started]

    Milestone 8: Reporting and Incident Handling

    • Description: Develop procedures for reporting security incidents or breaches related to off-site maintenance activities.
    • Actions:
      • Create an incident response plan specific to off-site maintenance incidents.
      • Train personnel on the reporting and handling of incidents.
    • Status: [In Progress/Completed/Not Started]

    Milestone 9: Documentation Update and Review

    • Description: Periodically review and update documentation, including the Data Destruction Policy and equipment sanitization procedures.
    • Actions:
      • Establish a review schedule and responsible individuals/teams.
      • Document any changes or revisions made to policies and procedures.
    • Status: [In Progress/Completed/Not Started]

    Milestone 10: Continuous Improvement

    • Description: Continuously assess and improve the controls related to equipment sanitization for off-site maintenance.
    • Actions:
      • Engage in regular risk assessments and security reviews.
      • Adapt controls to changing threats and technology.
    • Status: [In Progress/Completed/Not Started]

    Example of Data Destruction Policy:

    Data Destruction Policy

    1. Introduction

    At [Your Company Name], we are committed to safeguarding Controlled Unclassified Information (CUI) throughout its lifecycle, including its secure destruction when it is no longer required. This Data Destruction Policy outlines the procedures and guidelines for the secure and compliant disposal of CUI to prevent unauthorized access and maintain the confidentiality, integrity, and availability of sensitive information.

    2. Scope

    This policy applies to all employees, contractors, and third-party entities who handle or have access to CUI within [Your Company Name].

    3. Data Classification and Identification

    CUI must be classified and identified according to organizational policies and relevant regulations. Employees and authorized personnel are responsible for recognizing CUI and ensuring its proper handling and destruction.

    4. Methods of Data Destruction

    CUI can be destroyed using the following approved methods:

    a. Shredding: Paper documents containing CUI should be shredded using a cross-cut or micro-cut shredder to render the information irrecoverable.

    b. Electronic Media: Electronic storage devices (e.g., hard drives, SSDs, USB drives) containing CUI should be securely wiped or physically destroyed.

    5. Secure Destruction Process

    The following steps must be followed when destroying CUI:

    Step 1: Identify CUI: Ensure that the information to be destroyed is correctly identified as CUI and that no vital records are included.

    Step 2: Collect CUI: Gather all CUI materials, including paper documents and electronic media, to be destroyed.

    Step 3: Segregation: Keep CUI materials separate from non-sensitive materials during the destruction process.

    Step 4: Shredding: Use a secure shredding service or equipment to destroy paper documents containing CUI. Ensure that the shredding process results in the information being rendered irrecoverable.

    Step 5: Electronic Media Destruction: For electronic storage devices, use approved data wiping software to overwrite data, or physically destroy the media to make data recovery impossible.

    Step 6: Documentation: Maintain records of the destruction process, including dates, types of media destroyed, and any witnesses present.

    6. Responsibilities

    a. Employees: Employees are responsible for recognizing CUI, properly segregating it for destruction, and following the secure destruction process outlined in this policy.

    b. Security Officer: The Security Officer or designated personnel shall oversee and manage the data destruction process, ensuring compliance with this policy and applicable regulations.

    7. Training

    All employees shall receive training on data destruction procedures and their responsibilities in accordance with this policy. Training shall be provided upon hire and periodically thereafter.

    8. Reporting

    Any unauthorized access or breaches related to data destruction must be reported immediately to the Security Officer and documented as an incident for investigation.

    9. Compliance and Auditing

    Regular audits and compliance checks will be conducted to ensure adherence to this policy. Non-compliance may result in disciplinary action.

    10. Review and Updates

    This Data Destruction Policy will be reviewed regularly to assess its effectiveness and to make adjustments based on lessons learned and changes in regulations or technology.

    11. Conclusion

    The proper and secure destruction of CUI is essential to maintaining the security and confidentiality of sensitive information. This Data Destruction Policy outlines the procedures and responsibilities for the destruction of CUI and serves as a key component of our overall information security program.

    12. Security Considerations

    Moving the server off-site introduces security considerations, as it contains CUI. To address these concerns, the company follows its established procedures, including:

    • Sanitizing the server of CUI data in accordance with its data destruction policy before sending it off-site.
    • Creating an authorization and waiver process for the external maintenance provider, ensuring they understand the presence of CUI and commit to safeguarding it.
    • Assigning an IT administrator to escort the server during transit and while it is being serviced off-site to prevent unauthorized access.

    Equipment Maintenance Waiver and Acknowledgment:

    Equipment Maintenance Waiver and Acknowledgment

    Organization: [Your Company Name] Service Provider: [Name of the External Maintenance Provider] Date: [Date of the Agreement]

    I, [Service Provider’s Name], representing [Service Provider’s Company Name], hereby acknowledge and agree to the following terms and conditions related to the maintenance of equipment containing Controlled Unclassified Information (CUI) for [Your Company Name]:

    1. Understanding of CUI Presence:

      • I understand and acknowledge that the equipment I will be servicing may contain Controlled Unclassified Information (CUI), as defined by federal regulations and organizational policies.
    2. Confidentiality and Non-Disclosure:

      • I commit to maintaining the confidentiality and security of any information I may encounter during the maintenance process, including but not limited to CUI. I understand that unauthorized access, copying, or disclosure of CUI is strictly prohibited.
    3. Prohibited Activities:

      • I will not make unauthorized copies or backups of any data or information stored on the equipment.

      • I will not attempt to access or retrieve any CUI for any purpose other than the maintenance and repair activities explicitly authorized by [Your Company Name].

    4. Data Protection:

      • I will take all necessary precautions to prevent accidental exposure or compromise of CUI during the maintenance process.
    5. Security Measures:

      • I will comply with all security measures and guidelines provided by [Your Company Name] to protect the integrity and confidentiality of CUI during the maintenance activities.
    6. Reporting Security Incidents:

      • In the event of any suspected security incident or data breach during the maintenance process, I will immediately report it to [Your Company Name] and cooperate fully in the investigation and resolution of the incident.
    7. Compliance with Laws and Policies:

      • I will comply with all applicable federal, state, and local laws and regulations related to the protection and handling of CUI.

      • I will adhere to all relevant organizational policies, procedures, and standards regarding information security and data protection.

    8. Liability:

      • I understand that any violation of this agreement may result in legal and/or contractual penalties, as well as termination of our service contract.
    9. Indemnification:

      • I agree to indemnify and hold harmless [Your Company Name], its officers, employees, and affiliates from any claims, losses, liabilities, costs, or damages arising out of my breach of this agreement or any negligent or willful act or omission on my part.

    I hereby acknowledge that I have read and understood this agreement and agree to comply with all of its terms and conditions.

    Service Provider’s Name: __________________________ Signature: __________________________ Date: __________________________

    By signing this agreement, I confirm that I am authorized to represent [Service Provider’s Company Name] in this matter.

    RELEVANT INFORMATION:

    This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). [SP 800-88] provides guidance on media sanitization.

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.