Trackr.Live The landing site for Trackr Services
§ Trackr.Live

MA — Maintenance

Maintenance is one of the smallest families in NIST SP 800-53, and it is also one of the most misread. MA is not about patching, configuration changes, or watching logs. Patch cadence and flaw remediation live in SI and RA-5; configuration change control is CM-3; the logs are AU. MA governs the maintenance activity itself: who is allowed to lay hands on the system, the tools and media they physically bring in, the remote session a vendor opens to fix something, and whether equipment that leaves your boundary for repair comes back clean. If your SSP narrative for MA is talking about Patch Tuesday, it is describing the wrong family.

Schematic of a maintenance bench: a system chassis opened under an escort badge, a technician's tool case being inspected at a checkpoint, and a faint remote-session line reaching in from outside the boundary.
MA is a control catalog family, not a step of the RMF. The RMF is the SP 800-37 process: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. MA controls get pulled in at Select from your baseline, get real implementations and SSP narratives at Implement, and get graded at Assess, with whatever fails landing in the POA&M. The categorization that drives the baseline comes from FIPS 199; FIPS 200 sets the minimum-security floor; and since Rev 5 the Low/Moderate/High allocations no longer live in the catalog at all. They moved into SP 800-53B, which is the document you actually tailor against.

What’s in the family

The MA family is short and, unlike AC, fully live. Nothing in it was withdrawn in the Rev 4-to-Rev 5 cleanup. It runs MA-1 through MA-7, no gaps:

  • MA-1, Policy and Procedures. The org-level maintenance policy and the procedures that operationalize it. Rev 5 retitled every dash-1 control to plain “Policy and Procedures,” so an SSP still calling this “Maintenance Policy and Procedures” is quoting Rev 4 boilerplate.
  • MA-2, Controlled Maintenance. Schedule, document, and review maintenance and repairs. The part assessors care about is the equipment-sanitization clause: before a system or component leaves the facility for off-site maintenance, you remove organizational information from it, and you check it for surprises when it comes back. This is not configuration change control. If you see MA-2 described as “identifying, evaluating, and approving changes to the configuration,” someone confused it with CM-3.
  • MA-3, Maintenance Tools. The control most people skip. It governs the laptop, the USB stick, the diagnostic dongle the field tech walks in with. MA-3(1) inspects the tools, MA-3(2) inspects the media those tools carry for malicious code, and MA-3(3) prevents unauthorized removal of maintenance equipment (so the tech doesn’t walk out with a drive full of your data on his “diagnostic” disk).
  • MA-4, Nonlocal Maintenance. Remote and nonlocal maintenance sessions: strong authentication, recordkeeping of the session, and tearing the connection down when the work is done. This is the family’s real risk center, and it overlaps AC-17 in a way that gets things missed (more below).
  • MA-5, Maintenance Personnel. Authorizing the people who do maintenance and keeping a current list. MA-5(1) is the meaty enhancement: how you handle individuals without the required clearance or access authorization, which in practice means escorting and supervising an uncleared tech the whole time the chassis is open.
  • MA-6, Timely Maintenance. Obtaining maintenance support and spare parts within a defined response time for the components that matter. This is where Moderate and especially High systems carry a real SLA on critical hardware, not just a service contract that says “best effort.”
  • MA-7, Field Maintenance. Restricting or directing where field maintenance happens (controlled facility versus in the field). MA-7 is not allocated to any baseline; it is selection-driven, pulled in by an overlay or a specific need rather than handed to you by impact level.

Baselines and where these controls come from

MA-1 through MA-6 are baseline-allocated. MA-7 is not. The enhancements escalate with impact roughly the way you’d expect: MA-2 shows up Low and above, the MA-3 tool/media enhancements and the tighter MA-4 nonlocal enhancements and MA-6 timely-maintenance land at Moderate and High, and the strictest pieces (MA-5(1) handling of uncleared personnel, and the harder nonlocal-maintenance constraints) bite at High.

That allocation is not a menu you order from. It is the 800-53B baseline for your impact level, plus or minus tailoring you can defend in the SSP, plus whatever your overlay forces on top. For national-security systems CNSSI 1253 sets the selection instead, and DoD layers RMF expectations through DoDI 8510.01. FedRAMP runs its own overlay for cloud. Tailoring MA-3 media inspection out of a High system because “our techs are trusted” is a conversation you will lose.

Deeper: nonlocal maintenance is the same wire as remote access, wearing a different hat.
MA-4 and AC-17 describe the same physical reality from two control families. A vendor opens a session to your storage array to push firmware; that session is remote access (AC-17) and it is nonlocal maintenance (MA-4) at the same time. The brittleness comes from where it gets documented. Teams write the vendor path up under AC-17 because that’s where remote access lives in their heads, then nobody circles back to satisfy MA-4’s specific demands: strong authentication for the maintenance session, a record of who connected and what they did, and termination of the connection and any session-specific accounts when the work ends. The authenticator side leans on IA-2 and IA-5. The result is a control that reads “satisfied by AC-17” in the SSP and was never actually assessed against MA-4’s own language. An assessor who knows the family will ask to see the maintenance-session records specifically, and “we treat that as remote access” is not an answer.

Control Typical first live at What an assessor actually checks
MA-2 Low Maintenance records exist and are current; sample one off-site repair and look for the sanitization sign-off before the box left and the inspection record when it came back.
MA-3 Moderate Is there an actual procedure for the tools a tech brings in, and has anyone ever executed it? “We inspect maintenance tools” with zero inspection records is theater.
MA-3(2) Moderate Maintenance media gets scanned for malicious code before it touches the system. Ask for the scan evidence, not the policy.
MA-4 Low Enumerate every nonlocal maintenance path, confirm strong auth, and pull the session records. Cross-check against the AC-17 remote-access inventory; the gap is the finding.
MA-5 Low A current, authorized maintenance-personnel list, and escort evidence for anyone on it without the required access.
MA-5(1) High The procedure for uncleared individuals: continuous supervision by someone who is cleared, and what happens to org data they could have seen.
MA-6 Moderate A defined response time for critical components and evidence the support arrangement actually meets it. A generic vendor contract is not an SLA.

Treat “first live at” as directional. Your overlay moves it, and an enhancement optional at Moderate is often mandatory at High.

Where it actually goes wrong

MA-3 is the most-skipped control in the family, and I’ll plant a flag on it. Most shops can produce an MA-1 policy that says maintenance tools are controlled, and almost none can produce a record of anyone actually inspecting the laptop a field engineer walked in with. The control is concrete and easy to assess precisely because it is so rarely done: ask for the last inspection record for maintenance media, watch the silence. The malicious-code path here is real. A diagnostic USB stick that lived in three other customers’ datacenters this month is exactly the removable media SI-3 and MP exist to worry about, and MA-3(2) is the control that says somebody scans it before it goes into your machine. Where it goes brittle: the inspection is supposed to happen at the door, and the door is usually a loading dock at 4 p.m. with a tech who has a flight to catch.

MA-4 hiding under AC-17. Covered in the callout above, but it bears repeating as the single most common MA finding. The remote vendor path gets documented once, in the wrong family, and the MA-4 session-record and strong-auth requirements quietly go unmet. Go read your own AC-17 inventory, ask which of those paths are maintenance paths, and make sure each one has a maintenance-session record behind it.

MA-5 escorting that doesn’t actually escort. The uncleared-tech scenario is where MA-5(1) meets the physical world, and the physical world is messy. The escort requirement ties straight into PE physical access and PS-3 personnel screening: the person doing the supervising has to be cleared and knowledgeable enough to know when the tech is doing something they shouldn’t. An escort who stands in the doorway scrolling their phone while a contractor has a console open is satisfying the paperwork and not the control. Assessors will ask what the escort is actually watching for.

MA-2 sanitization and the supply-chain tail. When a failed drive leaves for warranty replacement, the org data on it leaves too unless somebody sanitized it first, and the replacement part coming back in is a supply-chain question (SR) and a media-protection question (MP) at once. The clean narrative says “media is sanitized prior to off-site maintenance per MA-2.” The reality is the one drive swapped during an after-hours outage by an on-call who didn’t know the procedure existed. Sample the off-site repairs; that’s where the gap shows.

MA is a small family, so the temptation is to treat it as a box-check. The controls that bite (MA-3, MA-4, MA-5(1)) are physical and procedural, which means they fail quietly, in the gaps between families. An SSP that restates the catalog text back at the assessor instead of naming who inspected which tool, on what date, against what procedure, is the fastest way to a row of “Other Than Satisfied” in the SAR.

Sources

Adjacent material on this site