MA.L2-3.7.2: Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance

📖 What This Means

This control requires organizations to implement safeguards for all tools, techniques, and personnel involved in system maintenance to prevent unauthorized access or tampering. It means you must track who performs maintenance, what tools they use, and how they access systems—ensuring only approved methods and trusted individuals are allowed. For example, if a vendor needs to patch a server, you should verify their identity, log their activities, and ensure they use only pre-approved software. Another example: remote maintenance sessions must use encrypted connections (like VPNs) and be monitored. The goal is to prevent malicious actors from exploiting maintenance activities as an entry point into your systems.

🎯 Why It Matters

Uncontrolled maintenance activities are a top attack vector for data breaches. A 2022 Ponemon study found that 56% of breaches involved privileged access abuse during maintenance. In one real incident, a defense contractor's HVAC vendor used unapproved remote access tools, leading to a ransomware infection that cost $4.2M in recovery. The DoD specifically requires this control because maintenance accounts often have elevated privileges—if compromised, they could expose Controlled Unclassified Information (CUI). CMMC treats this as a Level 2 requirement because improper maintenance controls directly enable lateral movement in networks.

✅ How to Implement

1. In AWS/Azure/GCP, create separate IAM roles for maintenance personnel with time-bound permissions (e.g., 4-hour JIT access).
2. Enable CloudTrail/Azure Activity Log/GCP Audit Logs to record all maintenance sessions.
3. Restrict maintenance tools to approved instances (e.g., only allow SSM Session Manager in AWS, block third-party RDP clients).
4. Implement Service Control Policies (SCPs) or Organization Policies to block unapproved regions/APIs during maintenance.
5. Require MFA for all maintenance sessions and document approvals in a ticketing system like ServiceNow or Jira.

⏱️

Estimated Effort

2-3 days for SMEs to implement, plus ongoing monitoring. Skill level: Intermediate (requires networking + IAM knowledge).

📋 Evidence Examples

Approved Maintenance Tools List

Format: Excel/PDF

Frequency: Update quarterly or when new tools are introduced

Contents: Tool name, version, approval date, business justification

Collection: Export from CMDB or manually maintained spreadsheet

Maintenance Session Logs

Format: CSV (from SIEM/PAM)

Frequency: Retain for 6 months

Contents: Timestamp, user, tool used, systems accessed, session duration

Collection: Automated daily exports from Splunk/CyberArk

Vendor Maintenance Agreement

Format: PDF

Frequency: Review annually

Contents: SOW specifying tools/techniques allowed, escort requirements

Collection: Signed copy from procurement team

MFA Configuration Screenshot

Format: PNG

Frequency: Update when policies change

Contents: Azure Conditional Access policy requiring MFA for maintenance accounts

Collection: Azure Portal screenshot with timestamp

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For MA.L2-3.7.2 ("Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how system maintenance is controlled, including scheduling, change management, tool approval, remote maintenance security, and personnel authorization. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"MA.L2-3.7.2 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to provide controls on the tools, techniques, mechanisms, and personnel used to con.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"MA.L2-3.7.2 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to provide controls on the tools, techniques, mechanisms, and personnel used to con.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"MA.L2-3.7.2 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify systems within the CUI boundary requiring maintenance
• Document maintenance windows and change control process
• Specify remote maintenance tools and access controls
• Ensure this control covers all systems within your defined CUI boundary where provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Maintenance Policy
📄 Change management records
📄 Approved maintenance tool inventory
📄 Remote maintenance session logs
📄 Evidence artifacts specific to MA.L2-3.7.2
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review maintenance records for proper approval workflow, verify remote maintenance uses MFA and is logged, and check that non-company maintenance personnel are supervised.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you maintain an up-to-date inventory of all approved maintenance tools?

✅ YES → Proceed to Q2

❌ NO → GAP: Create a spreadsheet listing tools with approval dates. Use OpenSCAP to scan for unapproved tools. Remediate within 2 weeks.

Remediation:

Document approval process in MA-3.7.2 procedure

Question 2: Are all remote maintenance sessions recorded and reviewed?

✅ YES → Proceed to Q3

❌ NO → GAP: Implement session recording via PAM or native cloud logging. Start with free Wazuh for SMEs. Deadline: 30 days.

Remediation:

Configure Splunk alerts for unusual maintenance patterns

Question 3: Do maintenance personnel use separate accounts with MFA?

✅ YES → Proceed to Q4

❌ NO → GAP: Create dedicated maintenance accounts in AD/Azure AD with MFA enforcement. Use conditional access if available. Complete within 1 week.

Remediation:

Train staff on new account procedures

Question 4: Is there a process to deprovision maintenance access after work completes?

✅ YES → Proceed to Q5

❌ NO → GAP: Implement JIT access or 24-hour expiration for vendor accounts. Use Azure PIM or equivalent. Deadline: 2 weeks.

Remediation:

Add to vendor offboarding checklist

Question 5: Can you produce logs showing a recent maintenance session with all required controls?

✅ YES → COMPLIANT

❌ NO → GAP: Run test maintenance session and document evidence gaps. Fix logging/config issues within 10 business days.

Remediation:

Update evidence collection procedures

⚠️ Common Mistakes (What Auditors Flag)

1. Allowing vendors to use personal TeamViewer accounts

Why this happens: Convenience over security

How to avoid: Require corporate-managed remote access tools only

2. Shared maintenance accounts without MFA

Why this happens: Legacy practices

How to avoid: Implement named accounts with Azure MFA/Duo

3. No logging for local maintenance (USB drives, consoles)

Why this happens: Focus only on remote access

How to avoid: Deploy endpoint DLP and require ticket numbers for physical access

4. Approved tools list hasn't been updated in 2+ years

Why this happens: Lack of periodic review

How to avoid: Calendar quarterly reviews with IT

5. Missing vendor escort documentation for CUI systems

Why this happens: Assuming NDAs cover everything

How to avoid: Use physical sign-in sheets with system-specific columns

📚 Parent Policy

This practice is governed by the Maintenance Policy

View MA Policy →

📚 Related Controls

AC.L2-3.1.1 (Account Management) AC.L2-3.1.2 (Remote Access Controls) AU.L2-3.3.1 (Audit Logging) IA.L2-3.5.3 (MFA)