Maintenance 3.7.2 (3.7.2)

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Get Full Guidance

What Is This CMMC Control?

Organizations must establish and enforce controls over maintenance tools, techniques, methods, and personnel used to service systems that handle CUI. This includes managing diagnostic equipment, repair tools, and maintenance software to prevent them from becoming vectors for malicious code or unauthorized access. Controls typically include approval processes, usage monitoring, malware scanning, and personnel vetting for anyone performing maintenance activities.

Control Intent

Prevent maintenance activities and tools from introducing security vulnerabilities, malicious code, or unauthorized access into systems processing CUI.

Who This Control Applies To

  • Organizations that allow maintenance activities on systems processing, storing, or transmitting CUI
  • Systems where external or internal personnel perform diagnostic, repair, or maintenance functions
  • Environments where maintenance tools (hardware, software, firmware) are brought into facilities or connected to CUI systems
  • Remote maintenance scenarios where technicians access CUI systems from external locations

Not Applicable When

  • No maintenance activities are performed on CUI systems (extremely rare and likely not sustainable)
  • All maintenance is performed exclusively by fully vetted internal personnel using only approved organizational tools with no external connections
  • Systems are completely isolated with no maintenance tools ever introduced from outside the security boundary

Key Objectives

  • 1Ensure maintenance tools and equipment do not introduce malicious code or security vulnerabilities into CUI systems
  • 2Control and monitor personnel who perform maintenance activities on systems handling CUI
  • 3Establish approval and oversight processes for maintenance tools, techniques, and mechanisms used on CUI systems

Sample Self-Assessment Questions (Partial)

Do you allow any external vendors, contractors, or service providers to perform maintenance on systems that handle CUI?

What types of maintenance tools (diagnostic software, hardware testers, remote access tools) are used on your CUI systems?

Implementation Approaches (High-Level)

Approved Maintenance Tool Inventory with Malware Scanning

Maintain a documented inventory of approved maintenance tools with mandatory malware scanning before each use on CUI systems.

Vendor Maintenance Tool Control and Escorting

External vendor maintenance personnel must use only approved tools, be escorted during maintenance activities, and have all actions logged.

Remote Maintenance Session Controls

Remote maintenance access is controlled through jump hosts, session recording, time-limited access, and mandatory approval.

Maintenance Personnel Authorization and Vetting

Personnel performing maintenance on CUI systems must be authorized, vetted, and tracked through background checks, NDAs, and access approval processes.

Maintenance Tool Sanitization and Inspection

Maintenance tools are inspected before and after use, sanitized to remove any CUI, and verified to be free of malicious code.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If no maintenance tool controls exist, prioritize establishing an approved tool inventory and malware scanning process as immediate actions If maintenance tools are used but not controlled, document current tools in use and implement approval and scanning requirements within 30-60 days If external vendors perform maintenance without controls, implement escort and tool inspection requirements immediately and document all vendor maintenance activities If remote maintenance is uncontrolled, implement session logging and time-limited access as immediate compensating controls while developing full remote maintenance procedures If maintenance personnel are not vetted, prioritize background checks and NDAs for external personnel with access to CUI systems Consider phased implementation starting with highest-risk systems or most frequent maintenance activities Leverage existing asset management, access control, and audit logging capabilities to reduce implementation effort Document any emergency maintenance situations that bypass controls and implement compensating measures If full implementation requires significant time, implement detective controls (logging, monitoring, review) as interim measures while developing preventive controls

Related CMMC Controls

3.1.13.1.123.3.13.3.23.4.13.4.23.4.33.4.93.7.13.7.33.7.53.7.63.9.13.9.23.14.13.14.23.14.5

Frequently Asked Questions

What qualifies as a maintenance tool under this control?

Maintenance tools include any hardware, software, or firmware used to diagnose, repair, or service systems processing CUI. This includes diagnostic software, hardware testers, packet sniffers, remote access tools, firmware update utilities, and vendor-specific diagnostic equipment. General-purpose IT tools may also be considered maintenance tools if used for diagnostic or repair purposes on CUI systems.

Do we need to control maintenance tools used by our own internal IT staff?

Yes, this control applies to all maintenance tools and personnel, including internal IT staff. While internal staff may already be vetted and authorized for general access, maintenance tools they use must still be approved, scanned for malware, and logged when used on CUI systems. The level of control may differ from external vendors, but some level of control is required.

How often do maintenance tools need to be scanned for malware?

Maintenance tools should be scanned before each use on CUI systems, not just once when initially approved. Tools can become infected between uses, especially if used on multiple systems or connected to external networks. At minimum, scan tools before each use on CUI systems and whenever the tool has been used outside the secure environment.

What should we do if a vendor refuses to allow us to scan their proprietary diagnostic tools?

This is a common challenge with vendor-specific tools. Options include: requiring the vendor to provide malware scan results from their own tools, using the tool in an isolated environment with monitoring, having the vendor perform maintenance under escort with all actions logged, or negotiating contractual requirements for tool security. Document the risk and implement compensating controls such as enhanced monitoring and post-maintenance system scans.

Are remote maintenance sessions always prohibited on CUI systems?

No, remote maintenance is not prohibited but must be controlled. Remote sessions should be approved, time-limited, logged or recorded, and conducted through controlled access points (VPN, jump host, PAM system). Remote maintenance tools should not remain persistently installed. The key is ensuring remote maintenance has the same level of control and oversight as on-site maintenance.

What happens if we need emergency maintenance and normal approval processes would take too long?

Emergency maintenance procedures should be documented in advance, including who can authorize emergency access, what compensating controls apply (such as enhanced monitoring or escorting), and how the emergency situation will be documented and reviewed afterward. Emergency situations do not eliminate the need for controls, but may allow for streamlined approval and enhanced detective controls in place of some preventive controls.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.