MA.L2-3.7.1 Perform Maintenance - DIB SCC CyberAssist

CMMC Practice MA.L2-3.7.1 – Perform Maintenance: Perform maintenance on organizational systems.

Links to Publicly Available Resources

CMMC Level 2 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2.
Kaseya – Patch Management Policy
In this blog, Kaseya will discuss patch management policy best practices and explain how they contribute to a better patching environment for large and small organizations alike.
NIST SP 800-147B BIOS Protection Guidelines for Servers
This NIST Special Publication is designed to provide guidelines for BIOS protections in server-class systems.
NIST SP 800-209 Security Guidelines for Storage Infrastructure
This NIST Special Publication is designed to provide a comprehensive set of security recommendations for the current landscape of the storage infrastructure.
NIST SP 800-40 Rev 4: Guide to Enterprise Patch Management Technologies
This NIST Special Publication is designed to assist organizations in understanding the basics of enterprise patch management technologies.
NIST SP 800-53 Rev 5: MA–2 Controlled Maintenance
NIST resources that defines requirement for controlled maintenance.
NIST SP 800-53 Rev 5: MA–3 Maintenance Tools
NIST resources that defines requirements for review, assessment, and approval of system maintenance tools
NIST SP 800-53 Rev 5: MA–4 Nonlocal Maintenance
NIST resources that define requirements for nonlocal system maintenance activities

Discussion [NIST SP 800-171 R2]
This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers.

Further Discussion
One common form of computer security maintenance is regular patching of discovered vulnerabilities in software and operating systems, though there are others that require attention.
System maintenance includes:

corrective maintenance (e.g., repairing problems with the technology);
preventative maintenance (e.g., updates to prevent potential problems);
adaptive maintenance (e.g., changes to the operative environment); and
perfective maintenance (e.g., improve operations).