NIST 800-53 REV 5 • MAINTENANCE
MA-3 — Maintenance Tools
Approve, control, and monitor the use of system maintenance tools; and Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}.
Supplemental Guidance
Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.
Practitioner Notes
Any tools used for system maintenance — diagnostic software, USB drives, external hard drives, boot media — need to be approved, controlled, and monitored. You do not want unauthorized tools introducing malware or creating vulnerabilities.
Example 1: Maintain an approved tools list that documents every diagnostic and maintenance tool authorized for use on your systems. Include the tool name, version, purpose, and the person responsible for keeping it current. Review and update this list at least annually.
Example 2: Use application whitelisting through AppLocker (GPO path: Computer Configuration → Policies → Windows Settings → Security Settings → Application Control Policies → AppLocker) to restrict which executables can run on systems. Only approved maintenance tools should be whitelisted on server systems.