1916 System Maintenance Policy

Department of Human Services
Online Directives Information System

Index:

POL1916

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

This policy establishes the Enterprise System Maintenance Policy, for managing risks from information asset maintenance and repairs through the establishment of an effective System Maintenance program. The system maintenance program helps DHS implement security best practices with regard to enterprise system maintenance and repairs.

Authority

United States Department of Commerce National Institute for Standards and Technology (NIST)
United States Internal Revenue Service
United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)
United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)
Georgia Technology Authority
Social Security Administration
Federal Bureau Investigation (Criminal Justice Information Services)

References

United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5, September 2020
United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-63-3 “Digital Identity Guidelines” June 2017
United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-100 “Information Security Handbook: A Guide for Managers” March 2007
Georgia Technology Authority Enterprise Information Security Policy
United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication SP800-12 An Introduction to Information Security June 2017
United States Internal Revenue Service, IRS Publication 1075 Tax Information Security Guidelines For Federal, State and Local Agencies Safeguards for Protecting Federal Tax Returns and Return Information
Centers for Medicare & Medicaid Services, Volume II: Minimum Acceptable Risk Standards for Exchanges
Social Security Administration (“SSA”) Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration (“TSSR”)
Criminal Justice Information Services Security Policy
ACF/OCSS - Security Agreement

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

System maintenance: A catchall term used to describe various forms of computer or server maintenance required to keep a computer system running properly. It can describe network maintenance, which could mean that servers are being physically repaired, replaced, or moved. Network maintenance can also mean that the software for a server is being updated, changed, or repaired. This sort of maintenance is typically performed on a regular or semi-regular schedule, often during non-peak usage hours, and keeps servers running smoothly.

Responsibilities

DHS shall adopt the System Maintenance principles established in NIST SP 800-53 “System Maintenance,” Control Family guidelines, as the official policy for this domain. The following subsections outline the System Maintenance standards that constitute DHS policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related to the standards documented.

MA-1 System Maintenance Policy and Procedures

Develop, document, and disseminate to designated agency personnel:
1. All organizational level system maintenance policy that:
  1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the system maintenance policy and the associated controls.
Designate an agency official to manage the development, documentation, and dissemination of the system maintenance policy and procedures; and
Review and update the current system maintenance control:
1. Policy every one (1) year (or if there is a significant change); and
2. Procedures every one (1) year, (or when there is a significant change).

MA-2 Controlled Maintenance

Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;
Require that designated agency officials explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;
Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: all information on the equipment being sanitized;
Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and
Include the following information in organizational maintenance records:
1. Date and time of maintenance;
2. Name of the individual performing the maintenance;
3. Name of escort, if necessary;
4. A description of the maintenance performed; and
5. A list of equipment removed or replaced (including identification numbers, if applicable).

MA-3 Maintenance Tools

Approve, control, and monitor the use of system maintenance tools; and
Review previously approved system maintenance tools on at least an annual basis.

MA-3 (1) Inspect Tools:

Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.

MA-3 (2) Inspect Media:

Check media containing diagnostic and test programs for malicious code before the media are used in the system.

MA-3 (3) Prevent Unauthorized Removal:

Prevent the removal of maintenance equipment containing organizational information by:

Verifying that there is no organizational information contained on the equipment;
Sanitizing or destroying the equipment;
Retaining the equipment within the facility; or
Obtaining an exemption from a designated agency official(s) explicitly authorizing removal of the equipment from the facility.

MA-3 (4) Restricted Tool Use:

Restrict the use of maintenance tools to authorized personnel only.

MA-3 (5) Execution with Privilege:

Monitor the use of maintenance tools that execute with increased privilege.

MA-03 (6) Software Updates and Patches:

Inspect maintenance tools to ensure the latest software updates and patches are installed.

MA-4 Non-Local Maintenance

All DHS service providers are required to:

Approve and monitor nonlocal maintenance and diagnostic activities;
Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;
Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
Maintain records for nonlocal maintenance and diagnostic activities; and
Terminate session and network connections when nonlocal maintenance is completed.

MA-4 (1) Logging and Review:

Log events as defined in the organization’s formal audit policy for nonlocal maintenance and diagnostic sessions; and
Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.

MA-4 (4) Authentication and Separation of Maintenance Sessions:

Protect nonlocal maintenance sessions by:

Employing multifactor authentication consistent with NIST 800-63 Digital Identity Guidelines requirements; and
Separating the maintenance sessions from other network sessions with the system by either:
1. Physically separated communications paths; or
2. Logically separated communications paths.

MA-4 (6) Cryptographic Protection:

Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: Virtual Private Network (VPN) connection.

MA-4 (7) Disconnect Verification:

Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions.

MA-5 Maintenance Personnel

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;
Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and
Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations

MA-5 (1) Individuals Without Appropriate Access:

Implement procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens that include the following requirements:
1. Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and
2. Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances, or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
Develop and implement organization-defined alternate controls in the event a system component cannot be sanitized, removed, or disconnected from the system.

MA-5 (5) Non-System Maintenance:

Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.

MA-6 Timely Maintenance

Obtain maintenance support and/or spare parts for security-critical information system components and/or key information technology components within the Recovery Time Objective/Recovery Point Objective (RTO/RPO) timelines and Maximum Tolerable Downtime (MTD) parameters agreed upon in the information systems Information System Contingency Plan (ISCP).

MA-6 (1) Preventive Maintenance:

Perform preventive maintenance on system component at applicable Recovery Time Objective (RTO) time intervals specified in the system Contingency Plan (CP).

History

Date

Change

User

Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.
Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.