Maintenance

In the CMMC context, maintenance refers to the controlled processes for performing maintenance on organizational systems — both routine maintenance (updates, repairs) and maintenance performed by external parties (vendors, service providers). The security concern is that maintenance activities often require elevated access and can introduce vulnerabilities if not properly controlled.

Maintenance requirements cover controlling who can perform maintenance, supervising maintenance activities by external personnel, ensuring maintenance tools are properly managed, and performing maintenance from approved locations using secure connections.

Why It Matters

Maintenance is a CMMC domain. Assessors will verify that you control maintenance activities, supervise external maintenance personnel, and ensure that maintenance doesn't introduce security vulnerabilities — particularly when vendor technicians need access to CUI-containing systems.

Related Resources

CMMC: MA.L2-3.7.1
CMMC: MA.L2-3.7.2
CMMC: MA.L2-3.7.3
CMMC: MA.L2-3.7.4
CMMC: MA.L2-3.7.5
CMMC: MA.L2-3.7.6
NIST 800-171: 3.7.1
NIST 800-171: 3.7.2