MA-2 Controlled Maintenance

Description

This Control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or non-local entity (e.g., in-contract, warranty, in-house, software maintenance agreement).

System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers.

Information necessary for creating effective maintenance records includes, for example:

  1. date and time of maintenance;
  2. name of individuals or group performing the maintenance;
  3. name of escort, if necessary;
  4. a description of the maintenance performed; and
  5. information system components/equipment removed or replaced (including identification numbers, if applicable).

The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.

Applicability

The owner of an information resource, or designee, is responsible for implementing this Control.

Implementation

TAMU-CC shall schedule, perform, document, and review records of routine preventative and regular maintenance (including repairs) on the components of the information system in accordance with manufacturer or vendor specifications and/or organizational requirements that shall:

  1. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
  2. Require that Owners and Custodians explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
  3. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
  4. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
  5. Include appropriate information in maintenance records or documented in a change control mechanism.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events