Products are repaired by cleared or appropriately escorted personnel.

]]> This section covers information on maintaining and repairing both evaluated and non-evaluated IT equipment.

]]> Making unauthorised repairs to high assurance products or HACE can impact the integrity of the product or equipment.

]]> Using cleared technicians on-site at an agency’s facilities is considered the most desired approach to maintaining and repairing IT equipment. This ensures that if classified information is disclosed during the course of maintenance or repairs, the technicians are aware of the protection requirements for the information.

]]> Agencies MUST seek GCSB approval before undertaking any repairs to high assurance products or HACE.

]]> Maintenance and repairs of IT equipment containing media SHOULD be carried out on-site by an appropriately cleared technician.

]]> Agencies choosing to use uncleared technicians to maintain or repair IT equipment on-site at an agency’s facilities, or off-site at a company’s facilities, should be aware of the requirement for cleared personnel to escort the uncleared technicians during maintenance or repair activities.

]]> If an uncleared technician is used to undertake maintenance or repairs of IT equipment, the technician MUST be escorted by someone who:

  • is appropriately cleared and briefed;
  • takes due care to ensure that classified information is not disclosed;
  • takes all responsible measures to ensure the integrity of the equipment; and
  • has the authority to direct the technician.
]]> If an uncleared technician is used to undertake maintenance or repairs of IT equipment, agencies SHOULD sanitise and reclassify or declassify the equipment and associated media before maintenance or repair work is undertaken.

]]> Agencies SHOULD ensure that the ratio of escorts to uncleared technicians allows for appropriate oversight of all activities.

]]> If an uncleared technician is used to undertake maintenance or repairs of IT equipment, the technician SHOULD be escorted by someone who is sufficiently familiar with the product to understand the work being performed.

]]> Agencies choosing to have IT equipment maintained or repaired off-site need to be aware of requirements for the company’s off-site facilities to be approved to process and store the products at the appropriate classification.

]]> Agencies choosing to have IT equipment maintained or repaired off-site can sanitise, declassify or lower the classification of the product prior to transport and subsequent maintenance or repair activities, to lower the physical transfer, processing and storage requirements.

]]> Agencies having IT equipment maintained or repaired off-site MUST ensure that the physical transfer, processing and storage requirements are appropriate for the classification of the product and are maintained at all times.

]]> Where equipment is maintained or repaired offsite, agencies should identify any co-located equipment of a higher classification. This higher classification equipment may be at risk of compromise from modifications or repairs to the lower classification equipment.

]]> Offsite repairs and maintenance SHOULD treat all equipment in accordance with the requirements for the highest classification of information processed, stored or communicated in the area that the equipment will be returned to.

]]> Agencies SHOULD conduct or arrange to have technical inspections conducted on all equipment returned to the secure area after maintenance or repair.

]]>