Maintenance is an imperative requirement for information security and applies to all hardware, firmware, operating systems, peripherals and the drivers, and all software applications. Lapse of maintenance could result in system vulnerability, opening the way for an information security breach. Policies and procedures should be established to ensure systems are kept in good working order and risk from hardware and software failures is minimized.[1]

Planning and Performing System Maintenance

3.7.1Perform maintenance on organizational systems


There are four types of maintenance to consider for information system hardware and software:

  1. Preventive maintenance is making changes to a system to prevent future failures;
  2. Adaptive maintenance involves changes to the system throughout its life cycle as hardware and software is modified to meet new system requirements or emerging technologies;
  3. Corrective maintenance is performed when a system failure or weakness is identified;
  4. Perfective maintenance refers to system improvements.

Ongoing maintenance includes activities such as equipment inspection, license renewal, system patch application, applications testing, and regular system information backup.  Routine maintenance schedules should be documented and maintained, and maintenance results recorded.

Approval and Oversight of Maintenance Tools, Techniques, and Personnel

3.7.2Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance
3.7.5Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete
3.7.6Supervise the maintenance activities of maintenance personnel without required access authorization

This requirement addresses security controls required for tools used for diagnostics of any vulnerabilities of systems and software by digitally managing, scanning, or sniffing the environment, where tools are not part of organizational infrastructure. Maintenance tools should be approved and be scrutinized for their integrity as they could be compromised and may become potential transporters of malicious code. Access control should be implemented for maintenance tools used on systems containing controlled information.

Maintenance must be administered by qualified and approved personnel, under proper supervision, and meticulous logs should be kept on maintenance activities.  Certain personnel may require privileged access to conduct maintenance such as patching and updating, with little or no prior notice for such access.  This can be controlled by issuing temporary accounts with one-time passwords and limited permissions.

Nonlocal maintenance and diagnostic checks are activities conducted by someone connecting through external network over VPN, remote access application, or OpenSSH. All such connections should have some type of multifactor authentication to prove the identity of those wishing to access the system. Moreover, any such connection should have remote access controls (e.g., specific device only, controlled downloads, privileged command authorization, and/or time limitation to session termination).

Off-Site Maintenance

3.7.3Ensure equipment removed for off-site maintenance is sanitized of any CUI

Any system component removed for any type of off-site maintenance conducted by any entity (including the component manufacturer) must be sanitized of Controlled Unclassified Information, meaning access to data on storage drives be overwritten with secure erasing with fixed pattern or degaussing, or the storage drive disassembled or destroyed.

Media for Diagnosis and Testing

3.7.4Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems

Any OEM or vendor diagnostic installed executable utilities, files and applications should be properly scanned and hashed to check for corrupt or malicious code and authenticity, so as to validate before installation. Proper incident handling policies and procedures should be followed if any abnormalities found.

Need Help?

If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.

FoxGuard Solutions delivers reliable, secure and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities.  With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.

Our services will help guide your organization through the Discovery, Planning, Execution and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC).  Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements.  An execution plan will be created that aligns with your needs, budget and timeline, and which outlines a recommended approach to attain CMMC.

As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on premise as well as cloud-based solutions to assist you with your compliance needs.

FoxGuard Solutions is ISO 9001 and ISO 27001 certified, and is a Cyber-AB Registered Practitioner Organization

Please visit for more information.

[1] NIST HB 162