3.7.1

Requirement

Perform maintenance on organizational systems.

Discussion

This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers. [26] In general, system maintenance requirements tend to support the security objective of availability. However, improper system maintenance or a failure to perform maintenance can result in the unauthorized disclosure of CUI, thus compromising confidentiality of that information.

More Info

Family

Maintenance
DoD Scoring Methodology Points

3

Related CMMC ID

MA.L2-3.7.1
Related NIST 800-53 ID

MA-2;MA-3;MA-3(1);MA-3(2)
Reference Documents
- N/A

NIST 800-171A Assessment Guidance

Examine

[SELECT FROM: System maintenance policy; procedures addressing controlled system maintenance; maintenance records; manufacturer or vendor maintenance specifications; equipment sanitization records; media sanitization records; security plan; other relevant documents or records].
Interview

[select from: Personnel with system maintenance responsibilities; personnel with information security responsibilities; personnel responsible for media sanitization; system or network administrators].
Test

[SELECT FROM: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for systems; organizational processes for sanitizing system components; mechanisms supporting or implementing controlled maintenance; mechanisms implementing sanitization of system components].

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!