Level 5 CMMC - CMMC Practices

MA.2.111  

Reference: CMMC 1.02

Family: MA

Level Introduced: 2

Practice:
Perform maintenance on organizational systems.

CMMC Clarification:
Perform maintenance on your machines. This includes:
• corrective maintenance (e.g., repairing problems with the technology);
• preventative maintenance (e.g., updates to prevent potential problems);
• adaptive maintenance (e.g., changes to the operative environment); and
• perfective maintenance (e.g., improve operations).

Example
You are in charge of IT at your company. As part of your role, you must perform maintenance on all the machines within your company. This includes regular planned maintenance, unscheduled maintenance, reconfigurations when required, and damage repairs. In addition to performing maintenance, you also keep track of all maintenance performed.

3.7.1

Perform maintenance on organizational systems.

Discussion:
This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers.

*In general, system maintenance requirements tend to support the security objective of availability. However, improper system maintenance or a failure to perform maintenance can result in the unauthorized disclosure of CUI, thus compromising confidentiality of that information.

Source: NIST Special Publication 800-171 Rev. 2

MA-2

CONTROLLED MAINTENANCE

Description:
The organization:
    a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
    b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
    c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
    d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
    e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
    f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.

Supplemental Guidance:
This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02