Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 02/23/2023
1. Purpose
Specifies the requirements for the management of the risk that may result from the maintenance of the District of Columbia Government (“District”) information assets.
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
3. Applicability
This policy applies to all District workforce members performing official functions on behalf of the District, and/or any District agency/District/entity who receive enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to District information, information systems, and networks.
4. Policy
Hardware and software maintenance and support arrangements shall be required for all standard and non-standard desktops, servers, network infrastructure equipment, peripherals, and related software. This shall include applications and systems that are subject to their proprietary maintenance and upgrade policies. Service, maintenance, and support shall be properly staffed and managed through a ticket management system and help desk.
The District's agencies must develop and review or update at least every 3 years and after change to the policy, a procedure in support of this policy with the following requirements:
4.1. Controlled Maintenance
The District agencies must:
4.1.1. Schedule, perform, document, and review records of maintenance and repairs on information system components per manufacturer or vendor specifications and/or organizational requirements.
4.1.2. Approve and monitor all maintenance activities to include routine scheduled information system security maintenance and repairs, whether the equipment is serviced onsite, remotely, or moved to another location.
4.1.3. Ensure the removal of the information system or any of its components from the facility for repair is first approved by an appropriate official.
4.1.4. Sanitize equipment to remove any restricted or highly restricted information from associated media, following proper procedure, when the information system or any of its components require offsite information system security maintenance or repairs equipment to remove all information from associated media before removal from organizational facilities for off-site maintenance or repairs.
4.1.5. Verify proper functionality of all potentially impacted security controls after information system security maintenance is performed.
4.1.6. Include the information defined in the procedure in organizational maintenance records.
4.2. Maintenance Tools
The District agencies must approve, control, and monitor the use of information system security maintenance tools and maintain these tools on an ongoing basis.
4.3. Maintenance Tools | Inspect Tools
The District agencies must inspect the maintenance tools carried into a facility by personnel to ensure such tools does not have unauthorized and/or improper modifications."
4.4. Maintenance Tools | Inspect Media
The District agencies must scan media containing for diagnostic and test programs to verify that they are free from malicious code, viruses, and malware before the media are used in the information system.
4.5. Non-Local Maintenance
The District agencies must:
4.5.1. Authorize, monitor, and control non-local maintenance and diagnostic activities.
4.5.2. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system.
4.5.3. Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
4.5.4. Maintain records for nonlocal maintenance and diagnostic activities.
4.5.5. Terminate session and network connections when nonlocal maintenance is completed.
4.6. Non-Local Maintenance | Document Non-local Maintenance
Allow the use of nonlocal maintenance and diagnostic tools only as consistent with the agency’s policy and documented in the security plan for the information system.
4.7. Maintenance Personnel
The District agencies must:
4.7.1. Establish a process for maintenance personnel authorization and maintain a current list of authorized maintenance organizations or personnel.
4.7.2. Ensure that non-escorted personnel performing maintenance on the information system have required access authorizations.
4.7.3. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
4.8. Timely Maintenance
The District agencies must obtain maintenance support and/or spare parts for information systems/assets within defined service level agreements.
5. Exemption
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
6. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.