CMMC MA.L2-3.7.1: Perform Maintenance on Organizational Information Systems
System maintenance is critical to CMMC Level 2 compliance, but ad-hoc patching and updates create security gaps. MA.L2-3.7.1 requires organizations to establish formal maintenance procedures that protect systems while keeping them operationally sound. This control ensures your IT environment stays secure and audit-ready.
What this means
This control requires you to develop and execute a documented maintenance process for all organizational information systems. You must define maintenance procedures, schedule maintenance activities, apply security patches and updates systematically, document all maintenance performed, and verify that maintenance doesn't compromise system security or integrity. The goal is ensuring systems remain functional, secure, and compliant throughout their operational lifecycle.
How to comply
- 1.Create a formal maintenance policy that covers all systems, equipment, and software under your control
- 2.Establish a maintenance schedule that balances security updates with operational requirements
- 3.Document all maintenance activities including what was done, when, by whom, and system impact
- 4.Implement change management controls before applying patches or updates to production systems
- 5.Verify system functionality and security posture after each maintenance activity
- 6.Maintain records of all maintenance for audit and compliance demonstration purposes
- 7.Review and update maintenance procedures annually or when systems change significantly
Evidence auditors look for
- Documented system maintenance policy and procedures
- Maintenance schedule and calendar showing planned activities
- Maintenance logs with timestamps, personnel, and system changes
- Change management request and approval records
- Patch and update deployment records
- Post-maintenance verification reports confirming system functionality
- Audit trails showing maintenance activity and personnel authorization
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates maintenance logging and tracks compliance by centralizing all maintenance records, scheduling reminders for routine activities, and generating audit-ready documentation—eliminating manual tracking and ensuring no maintenance activity falls through the cracks.
See how GRCWatch handles this control automatically
Start free trial