GRCWatch
Sign inStart free trial

CMMC MA.L2-3.7.2: System Maintenance Control

System maintenance represents a critical vulnerability window where unauthorized access can occur if not properly controlled. CMMC MA.L2-3.7.2 requires your organization to establish strict controls over who performs maintenance, what tools they use, and how those activities are monitored. This control is essential for defending against supply chain attacks and insider threats during routine system upkeep.

What this means

This control mandates that organizations implement comprehensive restrictions on system maintenance activities. You must control access to maintenance tools and techniques, vet the personnel performing maintenance work (including third-party contractors), and establish procedures that prevent unauthorized modifications or data access during maintenance windows. The focus is on preventing attackers from exploiting maintenance activities to gain system access or exfiltrate data.

How to comply

  1. 1.Document all approved maintenance procedures, tools, and techniques used across your systems
  2. 2.Establish a vetting and authorization process for all personnel performing maintenance, including employees, contractors, and vendors
  3. 3.Implement access controls limiting maintenance activities to authorized personnel only
  4. 4.Create maintenance windows and change management procedures that require approval before work begins
  5. 5.Monitor and log all maintenance activities for audit trails and incident investigation
  6. 6.Provide security training to maintenance personnel on data protection and access restrictions
  7. 7.Require signed agreements with third-party maintenance providers establishing security obligations
  8. 8.Conduct periodic reviews of maintenance access and revoke privileges when no longer needed

Evidence auditors look for

  • Maintenance procedure documentation specifying approved tools and techniques
  • Personnel vetting records and authorization lists for maintenance staff
  • Access control configurations limiting maintenance tool usage to approved users
  • Maintenance request and approval records demonstrating change management
  • System logs showing maintenance activities with timestamps and user identification
  • Third-party maintenance vendor agreements with security clauses
  • Training records for maintenance personnel on security protocols
  • Periodic access reviews and deprovisioning documentation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates maintenance personnel vetting workflows and tracks maintenance authorizations across your systems, generating audit-ready logs that demonstrate continuous compliance with MA.L2-3.7.2 without manual spreadsheet management.

See how GRCWatch handles this control automatically

Start free trial

Related controls

IA.L2-2.1.1 — User Access ControlAC.L2-2.1.3 — Access Control EnforcementIA.L1-2.1.2 — User Identification and AuthenticationAT.L2-2.2.4 — Security Awareness and Training