Maintenance.
Keeping systems running without opening a door nobody's watching.
Maintenance is 6 of Level 2’s 110 requirements. It governs the routine, necessary work of keeping systems running — patches, repairs, diagnostics — without turning that work into an unmonitored way past the rest of the program’s controls. A technician with a laptop full of diagnostic tools, or a piece of hardware headed off-site for repair, is a legitimate part of operating a system responsibly; MA is what keeps that legitimate activity from becoming the easiest way to move CUI out the door or malicious code in.
This page explains the family. It does not replace the requirement text or assessment objectives.
01What this family protects
Maintenance protects the boundary during the moments it’s most likely to be down — when a system is being worked on by someone, possibly from outside the organization, with access broader than day-to-day operation requires. It doesn’t stop maintenance from happening; it makes sure maintenance happens under the same discipline as everything else.
02The rule says
All 6 requirements, condensed to their operative sentence. NIST SP 800-171 Rev. 2 §3.7 has the full text and discussion for each; Source Library covers when to open it.
| § | Requirement |
|---|---|
| 3.7.1 | Perform maintenance on organizational systems. |
| 3.7.2 | Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. |
| 3.7.3 | Ensure equipment removed for off-site maintenance is sanitized of any CUI. |
| 3.7.4 | Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. |
| 3.7.5 | Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. |
| 3.7.6 | Supervise the maintenance activities of maintenance personnel without required access authorization. |
03In practice
Maintenance itself, and controlling how it happens (3.7.1–3.7.2). The baseline requirement is simply that maintenance gets performed — patches applied, hardware serviced, firmware updated — across every system component, not just the obvious ones. What earns its own requirement is controlling the tools and people used to do it: diagnostic laptops, packet sniffers, and the technicians running them are potential ways for malicious code to enter a facility, so organizations decide what oversight those tools and people get.
Off-site work (3.7.3–3.7.4). Equipment leaving the building for repair gets sanitized of CUI first — a failed hard drive sent back under warranty is still a hard drive that may have held drawings or specs. Diagnostic media coming back in gets checked for malicious code before it touches a live system.
Remote maintenance and unvetted personnel (3.7.5–3.7.6). A vendor dialing in remotely to diagnose a problem authenticates with multifactor authentication, and that session ends when the work is done — it doesn’t stay open. And anyone doing hands-on maintenance who isn’t already an authorized, vetted user — an outside technician on short notice — gets supervised while they work, rather than left alone with system access.
04Where it fails
The gap that shows up most is off-site sanitization (3.7.3) — a piece of failed hardware goes back to the manufacturer under warranty with the drive still in it, because pulling and replacing the drive felt like it would slow down the repair or void the warranty. The second is supervision (3.7.6): an emergency vendor visit, arranged same-day because something broke, gets a badge and a “let me know when you’re done” instead of someone actually staying in the room.
05What evidence may look like
A maintenance log showing what was serviced, by whom, and when; a sanitization record or checklist for equipment that left the building for repair; multifactor authentication configuration on the remote-access path vendors use for nonlocal maintenance; and a note — even informal — of who supervised an unescorted technician’s visit and when the session ended.
06At the shop
Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). Blanchard’s CNC machines get serviced quarterly by the equipment vendor, who connects remotely through the same MFA-protected VPN the regional MSP uses — never a separate, unmonitored connection the vendor set up on their own. When a failed drive from the file server went back under warranty last year, the two-person IT team pulled it, wiped it with the MSP’s sanitization utility, and shipped a blank replacement back instead — the vendor swapped it, and no CUI ever left the building.
07Commonly confused with
Configuration Management (CM). MA is about the act of servicing and repairing systems; CM is about controlling what changes are allowed once a system is configured. A maintenance visit that changes a setting touches both families — MA governs how the visit itself is controlled, CM governs whether that change was authorized. See Configuration Management.
Media Protection (MP). MA’s sanitization requirement (3.7.3) is scoped narrowly to equipment leaving for maintenance; MP’s sanitization requirement (3.8.3) covers any media being disposed of or reused. The mechanics overlap; the trigger differs. See Media Protection.
08Cross-desk links
None load-bearing for this family. See Configuration Management and Media Protection for the two families MA overlaps with most.
09Sources
| Document | What it’s for |
|---|---|
| NIST SP 800-171 Rev. 2, §3.7 | Full requirement text and discussion for all 6 MA requirements. |
| NIST SP 800-171A | Assessment objectives — how an assessor determines MET for each MA requirement. |
| 32 CFR 170.4 | Defines “CMMC Level 2 security requirement” and ties the 800-171 R2 families to the CMMC Program. |