STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

MA-2

MaintenanceRev 5organization

Controlled Maintenance

Baselines:LowModerateHigh

Control Statement

a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; c. Require that [Assignment: personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: [Assignment: information]; e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and f. Include the following information in organizational maintenance records: [Assignment: information].

Supplemental Guidance

Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems.

Related Controls (12)

CM-2CM-3CM-4CM-5CM-8MA-4MP-6PE-16SI-2SR-3SR-4SR-11

CCI Identifiers (24)

CCI-000861Sanitize equipment to remove organization-defined information from associated media prior to removal from organizational facilities for off-site maintenance, repairs or replacement.CCI-002873Review records of repairs on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.CCI-004178Monitor all maintenance activities, whether performed on site or remotely.CCI-004179Approve all maintenance activities, whether the system or system components are serviced on site or removed to another location.CCI-004180Monitor all maintenance activities, whether the system or system components are serviced on site or removed to another location.CCI-000858The organization schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.CCI-000859The organization approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location.

Linked STIG Checks (0)

No STIG checks reference this control.

CCI-000860
Require that organization-defines personnel or roles explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement.
CCI-000862Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair or replacement actions.
CCI-004174Schedule replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
CCI-004175Document replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
CCI-004176Review records of replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
CCI-004177Approve all maintenance activities, whether performed on site or remotely.
CCI-002866Schedule maintenance on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
CCI-002867The organization performs maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
CCI-002868Document records of maintenance on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
CCI-002869Review records of maintenance on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
CCI-002870Schedule repair on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
CCI-002871The organization performs repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
CCI-002872Document repair on system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
CCI-002874Defines the personnel or roles who can explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repairs or replacement.
CCI-002875Include organization-defined information in organizational maintenance records.
CCI-002876Defines the information to include in organizational maintenance records.
CCI-004181Defines the information to be removed from associated media.