Maintenance

Overview

This updated standard is to help align existing practices within Office of Information Technology (OIT) around maintenance controls to the requirements in NIST 800-171 (MA | 3.7.x) as well as industry best practices. This document does not give full coverage of 3.7.x controls within 171 due to existing limitations and other requirements that are specific to CUI.

What is in this document:

  • Patching requirements
  • Access control tie-in for remote maintenance
  • Security requirements for third party repairs

What is NOT in this document:

  • Patching procedures or methods
  • Remote maintenance procedures or methods
  • Approved third party repair providers  
     

Policy reference

Purpose
This Access Control standard supports APM 30.11 University Data Classification and Standards and other relevant university policies.

Scope
These standards are the minimum baseline for all managed and unmanaged systems that access, store or process University of Idaho data (see APM 30.14 C-6) or using University of Idaho technology resources (see APM 30.12 C-1) at the Low, Moderate- or High risk levels (see APM 30.11) not otherwise covered by an approved systems security plan.

Standards

U of I Office of Information Technology (OIT) is responsible for the content and management of these standards.

To request an exception to this standard contact: oit-security@uidaho.edu 

1. Patch management

Only run operating systems which are currently supported and patched. Apply security patches to address flaws in systems and applications automatically, or within 10 days.

  1. Patches may be applied in a timeframe approved through a risk-based vulnerability assessment process approved by the OIT Security Office and all affected data and system owners.
    Applies to: Low / Moderate / High
2. Remote maintenance

Authentication for remote maintenance must go through authenticated channels compliant with Access Control and Identification and Authentication standards.

Applies to: Low / Moderate / High

3. Third-party repairs
  1. Prior to sending equipment back to vendors or third parties for repairs that are unable to be done in-house, systems must be sanitized using the standards described in Media Protection
    Applies to: High
  2. Prior to sending equipment back to vendors or third parties for repairs that are unable to be done in-house, systems must be either encrypted using OIT-Managed encryption or sanitized using the standards described in Media Protection.
    Applies to: Moderate
  3. Keys, passwords or other authentication secrets for accessing university technology resources must not be shared with third parties, as required by APM 30.15.
    Applies to: Low / Moderate / High
    1. Temporary credentials assigned only to vendor must be used if access is required to perform or validate repairs.
  4. Any maintenance on site by third parties must be supervised unless operating under an approved contract.
    Applies to: Moderate / High

Other references

  1. NIST SP800-171r2 (February 2020)
  2. NIST SP800-53r5 (September 2020)
  3. Media Protection standard

Definitions

  1. Security patches

    Updates or fixes released by vendors to resolve a security vulnerability.

  2. Remote maintenance

    Accessing a system via a network connection for the purpose of working on the system itself.

  3. Third party

    Any entity that is not an owner, user or otherwise authorized individual within a system. This may include university affiliates that are not authorized for a specific system.

Revision history

3/1/2024 — Minor updates

  • Minor formatting/wording/reference changes.

6/23/2023 — Original standard

  • Full re-write to align with NIST 800-171r2