Skip to main content
NetStable
🔧 6 Practices NIST 3.7.1 - 3.7.6

Maintenance Policy

Maintenance Domain (MA)

Overview Why It Matters Requirements Roles Implementation CMMC Mapping Evidence Common Gaps Template Guide

📖 What This Policy Covers

Maintenance ensures your systems stay operational and secure while protecting CUI during the maintenance process itself. This policy covers maintenance scheduling and windows, controlled maintenance procedures (backup, approve, execute, verify), approved maintenance tools (only vetted, company-approved tools), non-local/remote maintenance (MFA, session recording, monitoring), maintenance personnel authorization (background checks, escorts for non-company), and maintenance records and documentation.

Purpose

This policy ensures system maintenance is performed on schedule with proper controls, CUI is protected during maintenance activities, only approved tools are used for maintenance, remote/non-local maintenance is secured and monitored, maintenance personnel are authorized and supervised, and all maintenance activities are documented.

Scope

Applies to all maintenance activities on systems processing or storing CUI, including scheduled maintenance, emergency patches, remote support sessions, vendor maintenance, and hardware repair.

🎯 Why It Matters

Maintenance activities are a high-risk window -- systems may be in a vulnerable state, vendor access may be required, and CUI could be exposed during equipment repair. An uncontrolled maintenance session could introduce malware, expose CUI to unauthorized personnel, or leave systems misconfigured. Assessors check that maintenance follows change control and that remote sessions are authenticated with MFA and logged.

🔐 Key Requirements

1. Maintenance Scheduling

MA.L2-3.7.1

Scheduled and emergency maintenance with proper notification.

  • Scheduled maintenance during approved windows (e.g., Sundays 2-6 AM)
  • Emergency maintenance (critical patches) with CISO approval outside windows
  • 72-hour advance notification to users
  • All maintenance follows Change Management Policy

2. Controlled Maintenance

MA.L2-3.7.2 MA.L2-3.7.4

Structured process for safe maintenance execution.

  • Before: backup, review procedure, obtain change ticket approval, prepare rollback plan
  • During: follow documented procedure, log all actions, monitor for issues
  • After: test functionality, verify CUI integrity, update documentation, close ticket
  • CUI protection: sanitize before sending equipment for repair, escort non-cleared personnel, monitor remote sessions

3. Approved Maintenance Tools

MA.L2-3.7.3 MA.L2-3.7.5

Only approved, vetted tools for maintenance activities.

  • Diagnostic tools approved by IT Security (scanned for malware)
  • Remote access tools: company-approved only (TeamViewer, LogMeIn with MFA)
  • USB drives: company-issued encrypted only
  • Tool inventory maintained by IT, updated annually
  • Personal USB drives, unauthorized software, untrusted scripts prohibited

4. Non-Local/Remote Maintenance

MA.L2-3.7.4 MA.L2-3.7.5

Controls for remote maintenance sessions.

  • MFA authentication required
  • Session recording (logs + video if available)
  • Approval: submit request with justification, manager + IT Security approval
  • Real-time monitoring by IT Security for sensitive systems
  • Session terminated after task completion or if suspicious activity detected
  • Encrypted channels only (VPN, RDP over TLS)
  • Vendor access: temporary accounts, deactivated after maintenance, logs reviewed, NDA required

5. Maintenance Personnel

MA.L2-3.7.5 MA.L2-3.7.6

Authorization and supervision of maintenance personnel.

  • Company employees: background checks per PS Policy
  • Contractors: background checks + NDA + escorted by company personnel
  • Vendors: equipment sanitized before shipping, or access via monitored remote session
  • Authorized personnel list maintained by IT, updated quarterly

6. Maintenance Records

MA.L2-3.7.6

Documentation of all maintenance activities.

  • Maintenance schedule (what, when, who)
  • Change tickets for all maintenance
  • Maintenance logs (actions performed, results)
  • Equipment inventory (assets serviced, dates, technicians)
  • 3-year retention
  • Quarterly review by IT Security for anomalies

👥 Roles & Responsibilities

CISO / IT Director

  • Approve emergency maintenance outside scheduled windows
  • Review maintenance logs quarterly
  • Approve maintenance tool inventory
  • Authorize vendor access to CUI systems

IT Operations

  • Schedule and perform maintenance
  • Maintain approved tool inventory
  • Document all maintenance activities
  • Escort non-company maintenance personnel

IT Security

  • Monitor remote maintenance sessions
  • Review maintenance logs for anomalies
  • Approve maintenance tools (malware scan)
  • Verify CUI protection during maintenance

Vendors / Contractors

  • Follow company maintenance procedures
  • Use only approved tools
  • Sign NDAs before accessing CUI systems
  • Report any CUI exposure during maintenance

🛠️ Implementation Roadmap (4 Weeks)

1

Procedures & Windows

Weeks 1-2
  • Define maintenance windows
  • Create maintenance procedure templates
  • Establish change management workflow for maintenance
  • Create approved tool inventory
2

Remote & Vendor Controls

Weeks 3-4
  • Configure remote maintenance controls (MFA, session recording)
  • Create vendor access procedures and NDA templates
  • Deploy maintenance logging and documentation
  • Train IT staff on new procedures
  • Test remote maintenance workflow end-to-end

Recommended Tools

ServiceNow / Jira (change management)TeamViewer / LogMeIn with MFA (remote access)Session recording tools (CyberArk, built-in RDP recording)BitLocker encrypted USB drives (maintenance tools)

📊 CMMC Practice Mapping

Practice ID Requirement Policy Section
MA.L2-3.7.1 Perform maintenance timely 1
MA.L2-3.7.2 Control maintenance activities 2, 4
MA.L2-3.7.3 Require MFA for nonlocal maintenance 4
MA.L2-3.7.4 Maintain equipment securely 2, 6
MA.L2-3.7.5 Approve maintenance tools 3, 5
MA.L2-3.7.6 Supervise non-Company maintenance 5, 6

📋 Evidence Requirements

These are the artifacts a C3PAO assessor will ask for. Start collecting early.

Maintenance Schedule

Format: PDF/Calendar
Frequency: Monthly
Contents: Upcoming maintenance windows with system names and responsible personnel
Tip: Show that maintenance is planned and follows the approved window schedule.

Sample Change Tickets

Format: PDF
Frequency: Ongoing; sample for audit
Contents: 5-10 maintenance change tickets showing full approval workflow
Tip: Include both scheduled and emergency maintenance examples. Show approval, execution, and verification steps.

Maintenance Tool Inventory

Format: Excel
Frequency: Annual update
Contents: Approved tools: name, version, purpose, last malware scan date
Tip: Include both software and hardware tools. Show that each is approved and scanned.

Remote Maintenance Logs

Format: CSV/PDF
Frequency: Per session
Contents: Who, when, what system, duration, approver for all remote sessions
Tip: Include session recordings or detailed logs. Show MFA was used for each session.

Vendor NDAs

Format: PDF (signed)
Frequency: Per vendor engagement
Contents: Signed NDAs for vendors performing maintenance on CUI systems
Tip: Keep signed copies on file. Reference the specific systems the vendor will access.

⚠️ Common Gaps (What Assessors Flag)

1. Maintenance performed without change tickets

Why this happens: Informal culture: IT staff make changes directly without documentation.
How to close the gap: Enforce change ticket requirement. Even a simple Jira ticket counts. Start with CUI systems and expand.

2. Vendor remote access unmonitored

Why this happens: Vendor was given VPN credentials or a remote tool and left unsupervised.
How to close the gap: Require IT Security to monitor vendor sessions. Use session recording. Create temporary accounts that expire after maintenance.

3. No maintenance tool inventory

Why this happens: IT staff use whatever tools are convenient. No formal approval process.
How to close the gap: Create a spreadsheet of approved tools. Scan each for malware. Block unauthorized tools via application whitelisting.

📝 Template Customization Guide

When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:

[COMPANY NAME]

Your organization's legal name

Example: Acme Defense Systems, LLC

[CISO Name]

Name of your CISO or IT Director

Example: Jane Smith

Customization Tips

  • 💡 Specify your actual maintenance windows (day/time)
  • 💡 List your approved remote access tools by name
  • 💡 Include your vendor management process and NDA template reference
  • 💡 If you outsource IT, document how the managed service provider follows these requirements

📚 Related Policies

Configuration Management Policy Access Control Policy Physical Protection Policy Personnel Security Policy
Previous
IR Policy
All Policies
Next
MP Policy