3.7.3—Maintenance - Derived
Derived Requirement
>Control Description
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
>Discussion
This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). [SP 800-88] provides guidance on media sanitization.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern sanitization of maintenance equipment?
- •What procedures ensure equipment is cleaned before use?
- •Who is responsible for equipment sanitization verification?
- •How do you handle equipment from external maintenance providers?
- •What governance prevents contamination from maintenance equipment?
Technical Implementation:
- •What technical methods sanitize maintenance equipment?
- •How do you scan equipment for malware before use?
- •What controls prevent contaminated equipment from connecting?
- •How do you verify equipment cleanliness technically?
- •What network segmentation isolates maintenance equipment?
Evidence & Documentation:
- •Can you provide equipment sanitization procedures?
- •What documentation verifies equipment is clean before use?
- •Can you demonstrate scanning of maintenance equipment?
- •What evidence shows sanitization controls are followed?
- •What audit records track equipment sanitization?
Ask AI
Configure your API key to use AI features.