Skip to main content
NetStable
Level 2 MA.L2-3.7.1

Perform maintenance on organizational systems

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to regularly maintain their systems to ensure they operate securely and efficiently. Maintenance includes tasks like applying software updates, replacing hardware, and troubleshooting issues. Doing this helps prevent vulnerabilities that attackers could exploit. For example, if a server's software isn't updated, it could have security flaws that hackers can use to steal sensitive information. Another example is replacing aging hardware before it fails, which prevents unexpected downtime that could disrupt operations.

🎯 Why It Matters

Failing to maintain systems can lead to security breaches, data loss, and operational disruptions. For instance, in 2017, Equifax suffered a massive breach because they didn’t patch a known vulnerability, exposing the personal data of 147 million people. The cost of such breaches can be astronomical, including fines, legal fees, and reputational damage. From the DoD/CMMC perspective, this control ensures that systems handling Controlled Unclassified Information (CUI) remain secure and reliable, reducing the risk of compromise.

How to Implement

  1. 1. Enable automated patch management in your cloud provider (e.g., AWS Systems Manager Patch Manager, Azure Update Management).
  2. 2. Schedule regular maintenance windows for updates and ensure minimal downtime.
  3. 3. Monitor cloud resources for performance and security issues using tools like CloudWatch or Azure Monitor.
  4. 4. Use Infrastructure as Code (IaC) tools like Terraform to automate system maintenance tasks.
  5. 5. Ensure all maintenance activities are logged and auditable.
⏱️
Estimated Effort
20-40 hours initially, ongoing effort of 5-10 hours/month. Requires intermediate IT skills.

📋 Evidence Examples

Maintenance Schedule

Format: Excel/PDF
Frequency: Monthly
Contents: Dates, tasks, responsible personnel
Collection: Export from maintenance management tool

Patch Management Logs

Format: CSV/PDF
Frequency: Weekly
Contents: Patch details, installation dates, success/failure status
Collection: Export from patch management tool

Hardware Maintenance Reports

Format: PDF
Frequency: Quarterly
Contents: Hardware checks, replacements, issues found
Collection: Manual or tool-generated

Maintenance Policy

Format: PDF
Frequency: Annual
Contents: Procedures, roles, responsibilities
Collection: Document drafted by IT/compliance team

Training Records

Format: Excel/PDF
Frequency: Annual
Contents: Staff names, training dates, topics covered
Collection: Export from HR/training system

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For MA.L2-3.7.1 ("Perform maintenance on organizational systems"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how system maintenance is controlled, including scheduling, change management, tool approval, remote maintenance security, and personnel authorization. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"MA.L2-3.7.1 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to perform maintenance on organizational systems. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"MA.L2-3.7.1 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to perform maintenance on organizational systems. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"MA.L2-3.7.1 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify systems within the CUI boundary requiring maintenance
  • Document maintenance windows and change control process
  • Specify remote maintenance tools and access controls
  • Ensure this control covers all systems within your defined CUI boundary where perform maintenance on organizational systems applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Maintenance Policy
  • 📄 Change management records
  • 📄 Approved maintenance tool inventory
  • 📄 Remote maintenance session logs
  • 📄 Evidence artifacts specific to MA.L2-3.7.1
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review maintenance records for proper approval workflow, verify remote maintenance uses MFA and is logged, and check that non-company maintenance personnel are supervised.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented maintenance schedule?

✅ YES → Proceed to Q2
❌ NO → GAP: Create a maintenance schedule that includes all systems and tasks. Complete within 2 weeks.
Remediation:
Use a template or tool to draft and approve the schedule.

Question 2: Are all systems regularly updated with patches?

✅ YES → Proceed to Q3
❌ NO → GAP: Implement a patch management tool and apply updates immediately. Complete within 1 week.
Remediation:
Use WSUS, SCCM, or cloud-native tools.

Question 3: Are maintenance activities logged and auditable?

✅ YES → Proceed to Q4
❌ NO → GAP: Ensure logs are centralized and retained for at least 1 year. Complete within 1 week.
Remediation:
Use logging tools or manual logs.

Question 4: Is staff trained on maintenance procedures?

✅ YES → Proceed to Q5
❌ NO → GAP: Schedule training sessions for IT staff. Complete within 2 weeks.
Remediation:
Use online courses or internal training materials.

Question 5: Is hardware regularly checked and replaced as needed?

✅ YES → You are compliant.
❌ NO → GAP: Perform a hardware audit and replace failing components. Complete within 1 month.
Remediation:
Use hardware monitoring tools or manual checks.

⚠️ Common Mistakes (What Auditors Flag)

1. Missing patches or updates.

Why this happens: Lack of automated tools or oversight.
How to avoid: Use patch management tools and set reminders.

2. Incomplete maintenance logs.

Why this happens: Manual logging is inconsistent.
How to avoid: Centralize logs using tools or templates.

3. No documented maintenance policy.

Why this happens: Policy creation is overlooked.
How to avoid: Draft and approve a policy with IT and compliance teams.

4. Untrained staff.

Why this happens: Training is not prioritized.
How to avoid: Schedule regular training sessions.

5. Ignoring hardware maintenance.

Why this happens: Focus is only on software.
How to avoid: Include hardware checks in the maintenance schedule.

📚 Parent Policy

This practice is governed by the Maintenance Policy

View MA Policy →

📚 Related Controls

MA.L2-3.7.2 - Control maintenance tools MA.L2-3.7.3 - Perform non-local maintenance SI.L2-3.14.1 - Identify and manage vulnerabilities
Previous
IR.L2-3.6.3
Back to MA
Next
MA.L2-3.7.2