CMMC Practice MA.L2-3.7.2

System Maintenance Control: Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Monarch ISC Guidance

Practice care and consistency with how equipment is maintained. Have a written policy that requires specific tools, methods, and defined staff or vendors who are authorized to perform that maintenance. Physically secure your tools and control access to systems to perform maintenance to ensure malicious software is not introduced to systems while conducting maintenance.

Discussion From Source

NIST SP 800-171 R2 This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.

References