Red Hat Virtualization Host - Maintenance

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
MA-1 System Maintenance Policy And Procedures

not applicable

MA-2 Controlled Maintenance

not applicable

MA-2 (1) Record Content
MA-2 (2) Automated Maintenance Activities
MA-3 Maintenance Tools
MA-3 (1) Inspect Tools
MA-3 (2) Inspect Media
MA-3 (3) Prevent Unauthorized Removal
MA-3 (4) Restricted Tool Use
MA-4 Nonlocal Maintenance

complete

MA-4 (1) Auditing And Review
MA-4 (2) Document Nonlocal Maintenance
MA-4 (3) Comparable Security / Sanitization
MA-4 (4) Authentication / Separation Of Maintenance Sessions
MA-4 (5) Approvals And Notifications
MA-4 (6) Cryptographic Protection
MA-4 (7) Remote Disconnect Verification
MA-5 Maintenance Personnel

not applicable

MA-5 (1) Individuals Without Appropriate Access
MA-5 (2) Security Clearances For Classified Systems
MA-5 (3) Citizenship Requirements For Classified Systems
MA-5 (4) Foreign Nationals
MA-5 (5) Nonsystem-Related Maintenance
MA-6 Timely Maintenance
MA-6 (1) Preventive Maintenance
MA-6 (2) Predictive Maintenance
MA-6 (3) Automated Support For Predictive Maintenance



MA-1: System Maintenance Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and b. Reviews and updates the current: 1. System maintenance policy [Assignment: organization-defined frequency]; and 2. System maintenance procedures [Assignment: organization-defined frequency].

MA-1 Control Response Information
Implementation Status:

not applicable

MA-1: What is the solution and how is it implemented?
MA-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

MA-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




MA-2: Controlled Maintenance

The organization: a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.

MA-2 Control Response Information
Implementation Status:

not applicable

MA-2: What is the solution and how is it implemented?
MA-2(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

MA-2(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

MA-2(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

MA-2(d):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

MA-2(e):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

MA-2(f):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




MA-2 (1): Record Content

“[Withdrawn: Incorporated into MA-2].”

MA-2 (1) Control Response Information
Implementation Status:
MA-2 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-2 (2): Automated Maintenance Activities

The organization: (2)(a). Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and (2)(b). Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed.

MA-2 (2) Control Response Information
Implementation Status:
MA-2 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-3: Maintenance Tools

“The organization approves, controls, and monitors information system maintenance tools.”

MA-3 Control Response Information
Implementation Status:
MA-3: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-3 (1): Inspect Tools

“The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.”

MA-3 (1) Control Response Information
Implementation Status:
MA-3 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-3 (2): Inspect Media

“The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.”

MA-3 (2) Control Response Information
Implementation Status:
MA-3 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-3 (3): Prevent Unauthorized Removal

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (3)(a). Verifying that there is no organizational information contained on the equipment; (3)(b). Sanitizing or destroying the equipment; (3)(c). Retaining the equipment within the facility; or (3)(d). Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.

MA-3 (3) Control Response Information
Implementation Status:
MA-3 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-3 (4): Restricted Tool Use

“The information system restricts the use of maintenance tools to authorized personnel only.”

MA-3 (4) Control Response Information
Implementation Status:
MA-3 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-4: Nonlocal Maintenance

The organization: a. Approves and monitors nonlocal maintenance and diagnostic activities; b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system; c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintains records for nonlocal maintenance and diagnostic activities; and e. Terminates session and network connections when nonlocal maintenance is completed.

MA-4 Control Response Information
Implementation Status:

complete

MA-4: What is the solution and how is it implemented?
MA-4(a):

‘From the perspective of Red Hat Virtualization Host (RHVH), all maintenance and diagnostic activities are monitored regardless of local (e.g. physical console) or nonlocal (e.g. over SSH) access mechanism.’

MA-4(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

MA-4(c):

‘From the perspective of Red Hat Virtualization Host (RHVH), both local and nonlocal maintenance and diagnostic sessions will require the same authenticators (as configured to controls in the AC section).’

MA-4(d):

‘From the perspective of Red Hat Virtualization Host (RHVH), session and network connections terminate in the same manner (e.g. once user logs out) regardless of local or nonlocal access mechanism used.’




MA-4 (1): Auditing And Review

The organization: (1)(a). Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and (1)(b). Reviews the records of the maintenance and diagnostic sessions.

MA-4 (1) Control Response Information
Implementation Status:
MA-4 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-4 (2): Document Nonlocal Maintenance

“The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.”

MA-4 (2) Control Response Information
Implementation Status:
MA-4 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-4 (3): Comparable Security / Sanitization

The organization: (3)(a). Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or (3)(b). Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.

MA-4 (3) Control Response Information
Implementation Status:
MA-4 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-4 (4): Authentication / Separation Of Maintenance Sessions

The organization protects nonlocal maintenance sessions by: (4)(a). Employing [Assignment: organization-defined authenticators that are replay resistant]; and (4)(b). Separating the maintenance sessions from other network sessions with the information system by either: (4)(b)(1). Physically separated communications paths; or (4)(b)(2). Logically separated communications paths based upon encryption.

MA-4 (4) Control Response Information
Implementation Status:
MA-4 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-4 (5): Approvals And Notifications

The organization: (5)(a). Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and (5)(b). Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance.

MA-4 (5) Control Response Information
Implementation Status:
MA-4 (5): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-4 (6): Cryptographic Protection

“The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.”

MA-4 (6) Control Response Information
Implementation Status:
MA-4 (6): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-4 (7): Remote Disconnect Verification

“The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.”

MA-4 (7) Control Response Information
Implementation Status:
MA-4 (7): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-5: Maintenance Personnel

The organization: a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel; b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

MA-5 Control Response Information
Implementation Status:

not applicable

MA-5: What is the solution and how is it implemented?
MA-5(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

MA-5(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

MA-5(c):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




MA-5 (1): Individuals Without Appropriate Access

The organization: (1)(a). Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1)(a)(1). Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; (1)(a)(2). Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and (1)(b). Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.

MA-5 (1) Control Response Information
Implementation Status:
MA-5 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-5 (2): Security Clearances For Classified Systems

“The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system.”

MA-5 (2) Control Response Information
Implementation Status:
MA-5 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



MA-5 (3): Citizenship Requirements For Classified Systems

“The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens.”

MA-5 (3) Control Response Information
Implementation Status: