PRMP-2

PRMP-2 Maintenance Personnel

Overview

Maintenance is performed only by authorized personnel. The processes for determining authorization and the list of authorized maintenance personnel is documented. Except as authorized by the DAA, personnel who perform maintenance on classified DoD information systems are cleared to the highest level of information on the system. Cleared personnel who perform maintenance on a classified DoD information systems require an escort unless they have authorized access to the computing facility and the DoD information system. If uncleared or lower-cleared personnel are employed, a fully cleared and technically qualified escort monitors and records all activities in a maintenance log. The level of detail required in the maintenance log is determined by the IAM. All maintenance personnel comply with DAA requirements for U.S. citizenship, which are explicit for all classified systems.

MAC / CONF	Impact	Subject Area
CLASSIFIED	High	Personnel

Details

Threat
Refer to PECF-2, PEDI-1, PEPF-2, and PRAS-2.

Guidance
This guidance is intended for Information Assurance Managers/Officers or System Administrators tasked with insuring that only those personnel cleared for the level of information processed by the system, and the requisite need to know, are granted access to the system for maintenance purposes: 1. Refer to guidance for IA control PRMP-1. 2. Except as specifically waivered on a case-by-case basis by the DAA or organizational Security Officer, ensure that all personnel who perform maintenance on classified DoD information systems are cleared to the highest level of information on the system in accordance with DoD personnel security policies by verifying individual clearances and accesses through the organizational security officer. 3. Ensure that system security documentation contains a clearly-stated policy that all cleared personnel who perform maintenance on classified DoD information systems shall require an escort unless they have been authorized access to the computing facility and the DoD information system. 4. Ensure that system security policy states clearly that if uncleared personnel, or personnel with a lower clearance level than that of the system are employed for maintenance purposes, a fully cleared and technically qualified escort shall monitor and record all activities in a maintenance log. The level of detail required in the maintenance log shall be determined by the IAM in accordance with DoD personnel security policies, but should contain, at a minimum, the following information: a. Name, SSN, position, and company/organization of escorted individual b. System, node, or network segment on which individual is performing maintenance c. Security clearance level of the escorted individual d. Name of escort e. Start and stop date and times of maintenance work f. Summary description of maintenance performed 5. Ensure that system security policy mandates that the information system environment is sanitized of all classified material or information prior to entrance of the escorted individual into the workspace. 6. Verify that system security policy mandates that all maintenance personnel comply with DAA requirements for U.S. citizenship, which are explicit for all classified systems. For further supporting/amplifying information, see: 1. PECF-2 2. PEDI-1 3. PEPF-2 4. PRAS-2

Guidance

This guidance is intended for Information Assurance Managers/Officers or System Administrators tasked with insuring that only those personnel cleared for the level of information processed by the system, and the requisite need to know, are granted access to the system for maintenance purposes:

1. Refer to guidance for IA control PRMP-1.
2. Except as specifically waivered on a case-by-case basis by the DAA or organizational Security Officer, ensure that all personnel who perform maintenance on classified DoD information systems are cleared to the highest level of information on the system in accordance with DoD personnel security policies by verifying individual clearances and accesses through the organizational security officer.
3. Ensure that system security documentation contains a clearly-stated policy that all cleared personnel who perform maintenance on classified DoD information systems shall require an escort unless they have been authorized access to the computing facility and the DoD information system.
4. Ensure that system security policy states clearly that if uncleared personnel, or personnel with a lower clearance level than that of the system are employed for maintenance purposes, a fully cleared and technically qualified escort shall monitor and record all activities in a maintenance log. The level of detail required in the maintenance log shall be determined by the IAM in accordance with DoD personnel security policies, but should contain, at a minimum, the following information:
  a. Name, SSN, position, and company/organization of escorted individual
  b. System, node, or network segment on which individual is performing maintenance
  c. Security clearance level of the escorted individual
  d. Name of escort
  e. Start and stop date and times of maintenance work
  f. Summary description of maintenance performed
5. Ensure that system security policy mandates that the information system environment is sanitized of all classified material or information prior to entrance of the escorted individual into the workspace.
6. Verify that system security policy mandates that all maintenance personnel comply with DAA requirements for U.S. citizenship, which are explicit for all classified systems.

For further supporting/amplifying information, see:
1. PECF-2
2. PEDI-1
3. PEPF-2
4. PRAS-2

References

DoD 5200.2-R (Personnel Security Program), January 1987