MA.L2-3.7.2  

Reference: CMMC v2.13

Family: MA

Level Introduced: 2

Title: System Maintenance Control

Practice:
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Further Discussion:
Tools used to perform maintenance must remain secure so they do not introduce viruses or other malware into your system. Controlling your maintenance techniques prevents intentional or unintentional harm to your network and systems. Additionally, the personnel responsible for maintenance activities should be supervised considering their elevated privilege on company assets.

Example
You are responsible for maintenance activities on your company’s machines. To avoid introducing additional vulnerability into the systems you are maintaining, you make sure that all maintenance tools are approved and their usage is monitored and controlled [a,b]. You ensure the tools are kept current and up-to-date [a]. You and your backup are the only people authorized to use these tools and perform system maintenance [d].

Potential Assessment Considerations
• Are physical or logical access controls used to limit access to maintenance tools to authorized personnel [a]?
• Are physical or logical access controls used to limit access to system documentation and organizational maintenance process documentation to authorized personnel [b]?
• Are physical or logical access controls used to limit access to automated mechanisms (e.g., automated scripts, scheduled jobs) to authorized personnel [c]?
• Are physical or logical access controls used to limit access to the system entry points that enable maintenance (e.g., administrative portals, local and remote console access, and physical equipment panels) to authorized personnel [d]?

Source: CMMC v2.13