Maintenance Plan

Approach basics → §4.x

Tooling and roles that anchor the rest of the plan.

Maintenance scheduling system (one-liner) * Where maintenance is scheduled and recorded (e.g., 'ServiceNow CMDB + Change module', 'Maximo CMMS', 'Inherited from cloud provider — no system-managed hardware').

Maintenance-vendor management role * Role accountable for vendor maintenance personnel (e.g., 'Facilities Operations Manager + Contracting Officer', 'ISSO with PSO support').

Nonlocal-maintenance channel How remote maintenance reaches system components (e.g., 'GFE-laptop + agency VPN with MFA + session recording', 'Vendor-side privileged-access workstation through bastion'). Reference the SC plan for transmission protections.

Spare-parts inventory location Where spare components are inventoried (e.g., 'Onsite cage + cloud-provider auto-replacement; CMDB tracks individual spares by serial').

Hosting-inheritance summary One-line summary of which MA controls are inherited from the hosting provider (e.g., 'MA-2 / MA-3 inherited from AWS; system-managed for endpoint workstations only').

Controlled Maintenance (MA-2) → §4.x

Scheduling, approval, recording, and post-maintenance security.

Maintenance approval workflow How maintenance is approved before execution (e.g., 'CCB approves planned maintenance windows; emergency maintenance requires retroactive approval within 24h'). Reference CM-3 for change-control overlap.

Maintenance-record required fields

Date and time Component identifier Maintenance reason Personnel performing maintenance Escort name (if vendor) Maintenance tools used Media introduced / removed Sanitization performed before / after Approval record cite Verification of restoration Linked CM-3 change record

Pre-vendor-maintenance sanitization How information is sanitized from a component before vendor maintenance (especially when component leaves the facility). Reference NIST SP 800-88 r1 categories (Clear / Purge / Destroy).

Post-maintenance security check Verification that security controls remain intact after maintenance (FIM check, configuration-baseline verification, integrity scan). Reference SI-7 for integrity verification.

Maintenance-record retention How long maintenance records are retained. Reference NARA records-retention schedule.

Maintenance Tools (MA-3) → §4.x

Tool inventory, inspection, and media handling.

Maintenance-tool categories in scope

Diagnostic / test tools (multimeters, cable testers) Software diagnostic packages (vendor utilities) Bootable diagnostic media (USB / CD) Network protocol analyzers (Wireshark, etc.) Hardware test equipment (logic analyzers, JTAG) Vendor-provided remote-diagnostic appliances Replacement components (spares) Field-service kits

Tool-modification inspection (MA-3(1)) How maintenance tools are inspected for improper modifications before use. Tamper-evident packaging, vendor-supplied integrity hashes.

Media-inspection for malicious code (MA-3(2)) How media brought in for diagnostics (USB, CDs, etc.) is scanned for malware before use. Dedicated scan-station, write-blocked-read.

Unauthorized-removal prevention (MA-3(3)) How equipment is checked at removal (per MA-3(3)) — verify the component or media is sanitized or authorized for removal. Coordinated with PE-16.

Tool storage location Where maintenance tools are stored when not in use (locked cabinet, controlled checkout system).

Nonlocal Maintenance (MA-4) → §4.x

Remote / vendor maintenance over network channels.

Session-initiation workflow How a nonlocal maintenance session is initiated (e.g., 'Vendor requests via Service Now → ISSO approval → just-in-time bastion access opened for the window → revoked at session end').

Session protections in place

MFA required Session recording (full keyboard / screen capture) Just-in-time access provisioned for window Bastion / jump-server enforced (no direct vendor → host) Endpoint posture check on vendor device Time-limited session Approver-monitored session FIPS-validated TLS / SSH end-to-end VPN gateway with logging

Session-disconnect verification How session termination is verified (no lingering processes, no re-auth credentials cached).

Session-recording retention How long nonlocal-maintenance session recordings are retained. Useful for after-action review when anomalies are reported. Reference AU plan.

Classified-system nonlocal-maintenance handling If applicable: special handling per CNSSP-300. Often non-local maintenance is prohibited on classified systems.

Maintenance Personnel (MA-5) → §4.x

Vendor staff governance, escort, and access.

Personnel screening requirement Required background-investigation level for maintenance personnel. Reference PS-3 / PS-7 standards. Cleared vs uncleared personnel handling.

Escort policy — Select — All vendor staff escorted at all times (default) Cleared vendor staff unescorted in approved areas; uncleared escorted Escort required only in sensitive zones; perimeter areas free No escort required (vendor fully cleared + indoctrinated)

Vendor-authorization process How specific vendor employees are authorized for access (vendor-supplied roster, PIV-I cards, agency-issued temporary badges). Reference PS-7.

Temporary-access provisioning SLA Time from vendor-personnel-change notification to access record updated. Common: 'Within 1 business day'.

Post-visit review How vendor visits are reviewed after the fact (escort log review, surveillance review for anomalies, badge-event reconciliation).

Timely Maintenance (MA-6) → §4.x

Spare-parts inventory and component-replacement SLAs.

Critical-component register (MA-6 ODV) Components for which timely-maintenance SLAs apply. MA-6 ODV — system components requiring obtainable spare parts within an organization-defined time period.

Replacement SLA by component class Time within which each component class must be replaceable. Example: 'HSM: 24h; production database server: 4h via cloud-provider auto-replacement; network appliance: 72h with vendor next-business-day support contract'.

Spare-inventory strategy — Select — Onsite cold spares for critical components Vendor-managed inventory with N4H delivery contract Cloud-provider auto-replacement (effectively infinite spares) Mixed (onsite for critical; vendor-managed for non-critical) Best-effort (no formal SLA)

Spare-test cadence How often spares are tested to ensure they are functional when needed (rotation schedule, periodic boot test).

Maintenance Scope and Coverage → §2.x

Quantitative scope numbers that anchor metrics later in the plan.

System components requiring maintenance Approximate count of components that need MA-2 controlled-maintenance handling.

Maintenance vendors / personnel count Approximate count of vendor maintenance personnel with system access (PS-7).

Nonlocal-maintenance session volume Approximate sessions per quarter (anchors session-recording storage planning).

Critical components with spares Count of components covered by spare-parts inventory (MA-6).

Maintenance Metrics & KPIs → §6.x

Metrics tracked to demonstrate MA control effectiveness.

Tracked metrics

Add item

Suggested: + Maintenance-window adherence rate (% scheduled vs ad-hoc) + Mean time between failures (MTBF) + Mean time to repair (MTTR) + Vendor-escort completion rate (% sessions with escort logged) + Sanitization-before-vendor-maintenance compliance rate + Nonlocal-maintenance session-recording completeness rate + Vendor-personnel-roster reconciliation gap count + Critical-component spare-availability rate + Spare-test completion rate + Open POA&M items linked to MA controls

Maintenance Anomaly Detection → §6.x

How anomalies in maintenance activity are detected and escalated.

Detection signals

Maintenance performed without record Maintenance performed outside approved window Vendor session lacking escort log Tool / media not in inventory Session-recording gap Configuration drift detected post-maintenance Unauthorized removal of equipment

Escalation path How detected anomalies escalate (typically to the IR plan workflow). Severity classification.

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the MA control implementations are summarized (e.g., 'SSP §13.7').

POA&M ID prefix for MA findings Convention for MA-related POA&M items (e.g., 'POAM-MA-' for general).

PE handoff How MA-5 maintenance personnel use the PE-3 escort policy and PE-2 access list. Vendor-visit coordination.

PS handoff How MA-5 maintenance personnel are screened per PS-3 / PS-7. Trigger when vendor personnel change.

MP handoff How MA-3(2) media inspection coordinates with MP-5 transport handling and MA-2 pre-maintenance sanitization with MP-6 sanitization.

CM handoff How MA-2 maintenance records feed CM-3 change control where maintenance produces configuration changes.

IR handoff How maintenance anomalies (tampered tools, unauthorized media, anomalous nonlocal sessions) escalate into the IR plan.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying MA continuous-monitoring metrics to the broader ConMon plan.