GRCWatch
Sign inStart free trial

CMMC MA.L2-3.7.1: Perform Maintenance on Organizational Information Systems

System maintenance is critical to CMMC Level 2 compliance, but ad-hoc patching and updates create security gaps. MA.L2-3.7.1 requires organizations to establish formal maintenance procedures that protect systems while keeping them operationally sound. This control ensures your IT environment stays secure and audit-ready.

What this means

This control requires you to develop and execute a documented maintenance process for all organizational information systems. You must define maintenance procedures, schedule maintenance activities, apply security patches and updates systematically, document all maintenance performed, and verify that maintenance doesn't compromise system security or integrity. The goal is ensuring systems remain functional, secure, and compliant throughout their operational lifecycle.

How to comply

  1. 1.Create a formal maintenance policy that covers all systems, equipment, and software under your control
  2. 2.Establish a maintenance schedule that balances security updates with operational requirements
  3. 3.Document all maintenance activities including what was done, when, by whom, and system impact
  4. 4.Implement change management controls before applying patches or updates to production systems
  5. 5.Verify system functionality and security posture after each maintenance activity
  6. 6.Maintain records of all maintenance for audit and compliance demonstration purposes
  7. 7.Review and update maintenance procedures annually or when systems change significantly

Evidence auditors look for

  • Documented system maintenance policy and procedures
  • Maintenance schedule and calendar showing planned activities
  • Maintenance logs with timestamps, personnel, and system changes
  • Change management request and approval records
  • Patch and update deployment records
  • Post-maintenance verification reports confirming system functionality
  • Audit trails showing maintenance activity and personnel authorization

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates maintenance logging and tracks compliance by centralizing all maintenance records, scheduling reminders for routine activities, and generating audit-ready documentation—eliminating manual tracking and ensuring no maintenance activity falls through the cracks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

MA.L2-3.7.2 — Provide MaintenanceIA.L2-2.1.1 — User RegistrationSI.L2-3.14.1 — Protect Information System