MA-4 NONLOCAL MAINTENANCE

Page last updated:

PCF Compliance

Compliance with the requirements defined in this control are a deployer responsibility.

Nonlocal maintenance is interpreted to mean performing remote support via an authenticated network connection. Operators have the option to enable SSH login to PAS VMs using either the BOSH CLI, and/or via any standard SSH client.


Control Description

The organization:

  1. Approves and monitors nonlocal maintenance and diagnostic activities;
  2. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
  3. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
  4. Maintains records for nonlocal maintenance and diagnostic activities; and
  5. Terminates session and network connections when nonlocal maintenance is completed.

Supplemental Guidance

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.