NIST 800-53 r5 · Controls catalogue · Family MA
MA-2Controlled Maintenance
Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }}; Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Sanitizing equipment to remove specified information before off-site maintenance prevents exposure of sensitive information to unauthorized actors such as external maintenance personnel. |
CWE-862 | Missing Authorization | 8,680 | Mandating explicit approval for removal of components for off-site maintenance addresses missing authorization for critical maintenance functions. |
CWE-284 | Improper Access Control | 4,832 | Approving and monitoring all maintenance activities prevents improper access control by restricting unauthorized personnel from performing maintenance on system components. |
CWE-285 | Improper Authorization | 1,230 | Requiring explicit approval for maintenance activities and component removal enforces proper authorization for critical system operations. |
CWE-552 | Files or Directories Accessible to External Parties | 540 | Sanitizing equipment before off-site maintenance reduces the risk of files or directories containing sensitive data becoming accessible to external parties. |
CWE-693 | Protection Mechanism Failure | 476 | Checking that all potentially impacted controls still function properly after maintenance detects and mitigates protection mechanism failures introduced during the process. |
CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | 30 | Requiring sanitization of media prior to removal for off-site maintenance ensures sensitive information is removed before the resource is reused or accessed externally. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||