Description
The organization approves, controls, and monitors the use of information system maintenance tools and maintains the tools on an ongoing basis.
Supplemental Guidance
The intent of this control is to address hardware and software brought into the information system specifically for diagnostic/repair actions (e.g., a hardware or software packet sniffer that is introduced for the purpose of a particular maintenance activity). Hardware and/or software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch) are not covered by this control.
Changes from Rev 4
Adds control text and parameter to review previously approved maintenance tools at a specified frequency Discussion expanded regarding approving, controlling, monitoring, and reviewing maintenance tools