Establishes requirements for performing timely maintenance on OCSI organizational systems — covering 6 controls per NIST SP 800-171 Rev 2.
OCSI shall perform maintenance on organizational systems in a timely manner. All maintenance activities, tools, and personnel shall be controlled, monitored, and documented. Nonlocal maintenance shall be approved, monitored, and controlled.
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| 3.7.1 | Perform maintenance on organizational systems | System maintenance performed through scheduled deployments. GoDaddy hosting infrastructure maintained by provider per SLA. Application-level maintenance (updates, patches, dependency updates) performed by authorized personnel and tracked via deployment logs. | Implemented |
| 3.7.2 | Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance | Deployment restricted to authorized personnel using deploy-godaddy.cjs script. FTP credentials stored in environment variables, not in source code. external MSSP provides maintenance guidance during quarterly reviews. | Implemented |
| 3.7.3 | Ensure equipment removed for off-site maintenance is sanitized of any CUI | OCSI utilizes cloud-hosted web application — no physical equipment contains CUI data. All CUI data resides in browser localStorage on authorized devices. Device decommissioning procedures include browser data clearing. | Implemented |
| 3.7.4 | Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems | All deployment files reviewed for malicious code prior to upload. Node.js dependencies audited using npm audit. No diagnostic media connected to production servers — all maintenance performed via secure FTP. | Implemented |
| 3.7.5 | Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete | NOT IMPLEMENTED. GoDaddy cPanel does not have MFA enforcement verified. FTP sessions do not use MFA. Command Center has no MFA capability. Remote maintenance connections lack multi-factor authentication. | Not Implemented |
| 3.7.6 | Supervise the maintenance activities of maintenance personnel without required access authorization | NOT VERIFIED. No external MSSP is currently engaged. NDA claims are unsubstantiated. Organizational policy states external maintenance must be supervised, but this has not been tested or documented. | Not Verified |
| Activity | Frequency | Responsible |
|---|---|---|
Dependency audit (npm audit) | Before each deployment | Developer |
| Security header verification | Monthly | Security Officer |
| CDN dependency review | Quarterly | Security Officer |
| external MSSP security assessment | Quarterly (planned) | external MSSP (not yet engaged) |
| Hosting provider SLA review | Annually | President |