Kk nist update3

content/en/docs/private-platform/nist-controls/ma/_index.md

@@ -0,0 +1,15 @@
+---
+title: "NIST 800-53 Maintenance Compliance for Private Mendix Platform"
+linktitle: "Maintenance"
+url: /private-mendix-platform/nist-controls-ma/
+description: "Documents the Private Mendix Platform's compliance with the Maintenance (MA) category of the NIST 800-53 security framework."
+weight: 10
+no_list: false 
+simple_list: true
+---
+
+## Introduction
+
+Documents in this section provide more information about Private Mendix Platform's compliance with the Maintenance (MA) category of the [NIST 800-53](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) security framework. For each applicable control, we have listed which party (Mendix or the customer) is responsible for which component or aspect.
+
+In general, Mendix is responsible for the Private Mendix Platform, Mendix Operator, Mendix Studio Pro, Mendix Runtime, and so on. Customer responsibilities are related to infra and organization processes. For more information, refer to detailed documentation below.

content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma01.md

@@ -0,0 +1,59 @@
+---
+title: "MA-01 System Maintenance Policy And Procedures"
+linktitle: "MA-01"
+url: /private-mendix-platform/nist-controls/ma-01/
+description: "Documents the Private Mendix Platform's compliance with the MA-01 control of the NIST 800-53 framework."
+weight: 20
+---
+
+## Introduction
+
+This document describes how Private Mendix Platform fulfills the MA-01 control.
+
+| Control ID | MA-01 |
+| --- | --- |
+| Control category | MA - Maintenance |
+| Requirement baseline | FEDRAMP MODERATE |
+| Responsibility and ownership | Customer - Infra, Customer - Org |
+
+## Control
+
+The organization:
+
+* Develops, documents, and disseminates to organization-defined personnel or roles:
+
+    * A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
+    * Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls
+
+* At an organization-defined frequency, reviews and updates the current:
+
+    * System maintenance policy at an organization-defined frequency
+    * System maintenance procedures.
+
+### Supplemental Guidance
+
+This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. 
+
+The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. 
+
+The following controls are related to this control:
+
+* PM-9.
+
+For more information, refer to the NIST Special Publications 800-12, 800-100.
+
+## Responsibility
+
+### Customer Responsibility
+
+System maintenance plans and schedules for the Private Mendix Platform, Mendix applications, and their underlying infrastructure are the responsibility of the customer and associated Infra and App Implementers and Operators.
+
+## Guidance
+
+### Customer Responsibility
+
+This is not a Mendix responsibility. It is the responsibility of the customer to implement a system maintenance policy and procedures. 
+
+It is the responsibility of the Infra Implementer to ensure that the infrastructure and Private Mendix Platform is implemented in such a way that they comply with and support the customer's system maintenance policy and procedures. It is the responsibility of the App Implementer to ensure that the Mendix App is implemented in such a way that it complies with and supports the customer's system maintenance policy and procedures. 
+
+It is the responsibility of the Infra Operator and App Operator to perform maintenance and updates in such a way that they ensure ongoing compliance with the customer's system maintenance policy and procedures.

content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma02.md

@@ -0,0 +1,70 @@
+---
+title: "MA-02 Controlled Maintenance"
+linktitle: "MA-02"
+url: /private-mendix-platform/nist-controls/ma-02/
+description: "Documents the Private Mendix Platform's compliance with the MA-02 control of the NIST 800-53 framework."
+weight: 20
+---
+
+## Introduction
+
+This document describes how Private Mendix Platform fulfills the MA-02 control.
+
+| Control ID | MA-02 |
+| --- | --- |
+| Control category | MA - Maintenance |
+| Requirement baseline | FEDRAMP MODERATE |
+| Responsibility and ownership | Mendix - Private Mendix Platform, Mendix - Operator, Mendix - Studio Pro/Runtime, Customer - Infra, Customer - Org |
+
+## Control
+
+The organization:
+
+* Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
+* Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location.
+* Requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs.
+* Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs.
+* Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.
+* Includes organization-defined maintenance-related information in organizational maintenance records.
+
+### Supplemental Guidance
+
+This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (for example, in-contract, warranty, in- house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. 
+
+Information necessary for creating effective maintenance records includes, for example: 
+
+* Date and time of maintenance
+* Name of individuals or group performing the maintenance
+* Name of escort, if necessary
+* Description of the maintenance performed
+* Information system components or equipment removed or replaced (including identification numbers, if applicable). 
+
+The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. 
+
+The following controls are related to this control:
+
+* CM-3
+* CM-4
+* MA-4
+* MP-6
+* PE-16
+* SA-12
+* SI-2.
+
+## Responsibility
+
+### Customer Responsibility
+
+The customer and their designated operators (Infra Operator, App Operator) are responsible for implementing, documenting, approving, and performing maintenance on the specific infrastructure (for example, Private Mendix Platform) and Mendix applications deployed within their environment.
+
+## Guidance
+
+### Customer Responsibility
+
+Mendix provides robust release notes, as well as reports and responds to security vulnerabilities within the Mendix products in accordance with appropriate regulations. 
+
+It is the customer's responsibility to provide maintenance policies and procedures, including but not limited to documentation requirements. 
+
+It is the responsibility of the Infra Operator to perform maintenance on the infrastructure and Private Mendix Platform in compliance with the customer's maintenance policies. 
+
+It is the responsibility of the App Operator to perform maintenance on the Mendix app in compliance with the customer's maintenance policies.

content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma0402.md

@@ -0,0 +1,35 @@
+---
+title: "MA-04 (02) Document Nonlocal Maintenance"
+linktitle: "MA-04 (02)"
+url: /private-mendix-platform/nist-controls/ma-0402/
+description: "Documents the Private Mendix Platform's compliance with the MA-04 (02) control of the NIST 800-53 framework."
+weight: 20
+---
+
+## Introduction
+
+This document describes how Private Mendix Platform fulfills the MA-04 (02) control.
+
+| Control ID | MA-04 (02) |
+| --- | --- |
+| Control category | MA - Maintenance |
+| Requirement baseline | FEDRAMP MODERATE |
+| Responsibility and ownership | Customer - Infra, Customer - Org |
+
+## Control
+
+The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.
+
+## Responsibility
+
+### Customer Responsibility
+
+The documentation of the security plan for the Mendix solution, including considerations for local and non-local maintenance, is the responsibility of the customer (in collaboration with their Infra and App Implementers).  The Infra and App Operators must maintain compliance with this customer-defined security plan, ensuring that the operational aspects meet the customer's specific security mandates.
+
+## Guidance
+
+### Customer Responsibility
+
+This is not a Mendix responsibility. It is the responsibility of the customer to document the security plan for the Mendix solution in collaboration with the Infra Implementer and the App Implementer, including considering how to perform local and non-local maintenance.
+
+It is the responsibility of the Infra Operator and App Operator to perform their tasks in compliance with the customer's security plan for the Mendix solution. 

content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma0403.md

@@ -0,0 +1,51 @@
+---
+title: "MA-04 (03) Comparable Security and Sanitization"
+linktitle: "MA-04 (03)"
+url: /private-mendix-platform/nist-controls/ma-0403/
+description: "Documents the Private Mendix Platform's compliance with the MA-04 (03) control of the NIST 800-53 framework."
+weight: 20
+---
+
+## Introduction
+
+This document describes how Private Mendix Platform fulfills the MA-04 (03) control.
+
+| Control ID | MA-04 (03) |
+| --- | --- |
+| Control category | MA - Maintenance |
+| Requirement baseline | FEDRAMP MODERATE |
+| Responsibility and ownership | Customer - Infra, Customer - Org |
+
+## Control
+
+The organization:
+
+* Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced.
+* Alternatively, removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.
+
+### Supplemental Guidance
+
+Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced.
+
+The following controls are related to this control:
+
+* MA-3
+* SA-12
+* SI-3
+* SI-7.
+
+## Responsibility
+
+### Customer Responsibility
+
+The responsibility for defining required external maintenance capabilities, ensuring non-local maintenance systems are compliant, and dictating component removal policies lies with the Customer. 
+
+Additionally, the customer's Infra and App Operators must ensure adherence with the customer's external maintenance policiees and align with their governance, security, and operational standards.
+
+## Guidance
+
+### Customer Responsibility
+
+This is not a Mendix responsibility. It is the responsibility of the customer to defined the required external maintenance capabilities, as well as ensuring that non-local maintenance systems are compliant. 
+
+It is the responsibility of the Infra Operator and App Operator to respect the customer's requirements and only use approved tools and systems when completing non-local maintenance, and complying with customer dictated component removal policies and procedures before, during, and after any non-local service.

content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma0501.md

@@ -0,0 +1,63 @@
+---
+title: "MA-05 (01) Individuals Without Appropriate Access"
+linktitle: "MA-05 (01)"
+url: /private-mendix-platform/nist-controls/ma-0501/
+description: "Documents the Private Mendix Platform's compliance with the MA-05 (01) control of the NIST 800-53 framework."
+weight: 20
+---
+
+## Introduction
+
+This document describes how Private Mendix Platform fulfills the MA-05 (01) control.
+
+| Control ID | MA-05 (01) |
+| --- | --- |
+| Control category | MA - Maintenance |
+| Requirement baseline | FEDRAMP MODERATE |
+| Responsibility and ownership | Mendix - Private Mendix Platform, Mendix - Operator, Mendix - Studio Pro/Runtime, Customer - Infra, Customer - Org |
+
+## Control
+
+The organization:
+
+* Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
+
+    * Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified.
+    * Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured.
+
+* Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.
+
+### Supplemental Guidance
+
+This control enhancement denies individuals who lack appropriate security clearances (for example, individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems.
+
+The following controls are related to this control:
+
+* MP-6
+* PL-2.
+
+## Responsibility
+
+### Customer Responsibility
+
+It is the customer's responsibility to setup appropriate access and clearance controls for personnel maintaining the Private Mendix Platform and any Mendix apps built through the Mendix solution. 
+
+Through Mendix's dynamic role management on both Private Mendix Platform and through Mendix applications themselves, customers can precisely control user access for maintenance purposes.
+
+Additionally, it is the responsibility of the Infra Implementer and Operator, as well as the App Implementer and Operator to implement and enforce these controls as determined by the customer.
+
+## Guidance
+
+### Customer Responsibility
+
+It is the responsibility of the customer to implement policies and procedures for allowing the ability to perform maintenance on the Mendix solution to individuals who either lack appropriate security clearances or are not U.S. citizens/persons.
+
+It is also the customer's responsibility to ensure that system data is sanitized, and/or implement other security safeguards, prior to maintenance occurring. 
+
+It is the responsibility of the Infra Implementer, App Implementer, Infra Operator, and App Operator to comply with the the customer's third-party personnel and data safety policies and procedures when doing work on the Mendix solution. 
+
+This is not a Mendix responsibility, except in cases where direct product support is required, in which case Mendix will comply with the customer's policies and procedures as required by law.
+
+## Proof and Remarks
+
+For more information, see [Dynamic Role Management in Private Mendix Platform](/private-mendix-platform/dynamic-role-management/).

content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma06.md

@@ -0,0 +1,51 @@
+---
+title: "MA-06 Timely Maintenance"
+linktitle: "MA-06"
+url: /private-mendix-platform/nist-controls/ma-06/
+description: "Documents the Private Mendix Platform's compliance with the MA-06 control of the NIST 800-53 framework."
+weight: 20
+---
+
+## Introduction
+
+This document describes how Private Mendix Platform fulfills the MA-06 control.
+
+| Control ID | MA-06 |
+| --- | --- |
+| Control category | MA - Maintenance |
+| Requirement baseline | FEDRAMP MODERATE |
+| Responsibility and ownership | Mendix - Private Mendix Platform, Mendix - Operator, Mendix - Studio Pro/Runtime, Customer - Infra, Customer - Org |
+
+## Control
+
+The organization obtains maintenance support and/or spare parts for organization-defined information system components within an organization-defined time period of failure.
+
+### Supplemental Guidance
+
+Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.
+
+The following controls are related to this control:
+
+* CM-8
+* CP-2
+* CP-7
+* SA-14
+* SA-15.
+
+## Responsibility
+
+### Customer Responsibility
+
+The responsibility for sourcing maintenance and defining Service Level Expectations (SLAs) for the Mendix solution, as well as directing Infra and App Operators to perform maintenance and support, rests with the customer. 
+
+Mendix provides the core platform and product support as defined in its license agreements and MSA, but the day-to-day operational maintenance and the specific performance guarantees (SLAs) for a deployed solution are inherently tied to the customer's chosen infrastructure, operational policies, and contractual relationships with other vendors.
+
+## Guidance
+
+### Customer Responsibility
+
+It is the responsibility of the customer to source maintenance and parts as well as to set appropriate service level expectations (SLA) for the Mendix solution. 
+
+It is the responsibility of the Infra Operator and App Operator to perform maintenance and support of the Mendix solution in compliance with the Customer’s directives and according to applicable contracts and laws.
+
+This is not a Mendix responsibility beyond providing support for the Mendix products sold as is outline in the license terms and other agreements.