• Requirement

    Perform maintenance on organizational systems.

  • Discussion

    This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers.

More Info

  • Title

    Perform Maintenance
  • Domain

  • CMMC Level

  • Related NIST 800-171 ID

  • Related NIST 800-53 ID


  • DoD Scoring Methodology Points


  • Reference Documents

    • N/A

  • Further Discussion

    One common form of computer security maintenance is regular patching of discovered vulnerabilities in software and operating systems, though there are others that require attention.

    System maintenance includes:

    • corrective maintenance (e.g., repairing problems with the technology);
    • preventative maintenance (e.g., updates to prevent potential problems);
    • adaptive maintenance (e.g., changes to the operative environment); and
    • perfective maintenance (e.g., improve operations).


    You are responsible for maintenance activities on your companyā€™s machines. This includes regular planned maintenance, unscheduled maintenance, reconfigurations when required, and damage repairs [a]. You know that failing to conduct maintenance activities can impact system security and availability, so you ensure that maintenance is regularly performed. You track all maintenance performed to assist with troubleshooting later if needed.

    Potential Assessment Considerations

    • Are systems, devices, and supporting systems maintained per manufacturer recommendations or company defined schedules [a]?

NIST 800-171A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!