CMMC Requirement MA.L2-3.7.2 – System Maintenance Control: Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. NIST resources that defines requirement for controlled maintenance. NIST resources that defines requirements for review, assessment, and approval of system maintenance tools NIST resource that defines requirements for system backup activities. NIST resource that defines processes for maintenance personnel. In this video, Mike breaks down CMMC 2.0 Control MA L2-3.7.2. You need written procedures, you need documentation on your process for allowing access to your systems, you are going to have to justify every step of how you run your system on paper through written procedure and that includes your IT team and who gets access to what and how they get that access.
This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.
Further Discussion
Tools used to perform maintenance must remain secure so they do not introduce viruses or other malware into your system. Controlling your maintenance techniques prevents intentional or unintentional harm to your network and systems. Additionally, the personnel responsible for maintenance activities should be supervised considering their elevated privilege on company assets.