Maintenance 3.7.1 (3.7.1)

Perform maintenance on organizational systems.[26].

Get Full Guidance

What Is This CMMC Control?

Organizations must establish and follow a structured maintenance program for all systems that process, store, or transmit CUI. This includes regular upkeep of hardware, software, firmware, and peripheral devices like printers and scanners. Maintenance must be performed in a controlled manner that protects CUI from unauthorized disclosure during service activities, whether performed by internal staff or external vendors. The control ensures systems remain operational and secure while preventing maintenance activities from becoming a security vulnerability.

Control Intent

Ensure that system maintenance activities are performed in a controlled, documented manner that maintains system availability while protecting CUI from unauthorized disclosure or compromise during maintenance operations.

Who This Control Applies To

  • All systems that process, store, or transmit CUI
  • Hardware components including servers, workstations, network devices, and storage systems
  • Software applications and operating systems
  • Firmware on network devices, storage systems, and embedded systems
  • Peripheral devices such as printers, scanners, copiers, and multifunction devices
  • Mobile devices used to access CUI
  • Cloud infrastructure components under organizational control
  • Backup and recovery systems
  • Security tools and monitoring systems

Not Applicable When

  • Systems that never process, store, or transmit CUI
  • Fully managed cloud services where the provider is contractually responsible for all maintenance (though oversight requirements may still apply)
  • Systems that have been formally decommissioned and removed from the CUI environment
  • Consumer-grade devices not used for CUI access or processing

Key Objectives

  • 1Establish and maintain a documented maintenance program covering all system components that handle CUI
  • 2Ensure maintenance activities are performed by authorized personnel following documented procedures
  • 3Protect CUI confidentiality during all maintenance activities, including those performed by external vendors
  • 4Maintain system availability through regular preventive and corrective maintenance

Sample Self-Assessment Questions (Partial)

Do you have a documented maintenance schedule for all systems that handle CUI?

Who is authorized to perform maintenance on systems containing CUI (internal staff, vendors, contractors)?

Implementation Approaches (High-Level)

Centralized Maintenance Management System

Organization uses a centralized ticketing or asset management system to schedule, track, and document all maintenance activities across the CUI environment.

Documented Maintenance Schedules with Manual Tracking

Organization maintains documented maintenance schedules and procedures with manual tracking through spreadsheets, logs, or paper records.

Vendor-Managed Maintenance with Oversight

Organization relies on vendors or managed service providers to perform maintenance while maintaining oversight and documentation requirements.

Integrated Maintenance and Change Management

Maintenance activities are integrated with formal change management processes, ensuring all maintenance is planned, approved, documented, and reviewed as part of broader system management.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If no maintenance program exists, create a phased implementation plan starting with critical CUI systems and expanding to all systems within 6-12 months If maintenance is performed but not documented, implement immediate logging requirements while developing formal procedures and schedules If peripheral devices are excluded, conduct inventory and add them to maintenance program within 3-6 months If vendor maintenance lacks CUI protections, renegotiate contracts or implement compensating controls (escort, monitoring, sanitization) immediately If emergency maintenance bypasses controls, document interim procedures requiring post-facto documentation and approval within 24 hours while developing formal emergency maintenance procedures If maintenance personnel lack authorization, implement immediate vetting and authorization process before next maintenance activity If firmware updates are excluded, add firmware inventory and update procedures to maintenance program within 3-6 months Prioritize POA&M items based on systems with highest CUI sensitivity and most frequent maintenance needs Consider quick wins like implementing maintenance logging before tackling comprehensive scheduling systems For resource-constrained organizations, start with manual tracking methods and plan migration to automated systems Include specific milestones for policy development, procedure creation, tool implementation, and training Address both technical implementation and process/documentation gaps in POA&M Consider leveraging existing tools (ticketing systems, asset management) before purchasing new solutions

Related CMMC Controls

3.1.13.1.23.1.53.4.13.4.33.4.63.4.83.6.13.7.23.7.33.7.53.7.63.10.13.11.23.12.1

Frequently Asked Questions

Does this control require a specific maintenance schedule or frequency?

The control does not mandate specific maintenance frequencies. Organizations must establish appropriate maintenance schedules based on manufacturer recommendations, system criticality, operational requirements, and risk assessment. What matters is that maintenance is planned, scheduled, documented, and actually performed consistently.

Are we required to perform maintenance ourselves or can we use vendors?

Organizations may use external vendors or managed service providers to perform maintenance. However, the organization remains responsible for ensuring maintenance is performed appropriately and that CUI is protected during vendor maintenance activities. This requires contracts addressing CUI protection, oversight of vendor activities, and documentation of all maintenance performed.

Do printers, copiers, and scanners really need to be included in the maintenance program?

Yes, the control explicitly states that maintenance applies to components not directly associated with information processing, specifically mentioning scanners, copiers, and printers. These devices often store CUI in memory or on hard drives and require maintenance to remain secure and functional. Many assessment findings result from excluding peripheral devices from maintenance programs.

What counts as maintenance versus a configuration change requiring change control?

Maintenance typically includes activities that restore or preserve system functionality without changing system behavior or security posture, such as hardware repairs, routine updates, cleaning, and component replacement. Configuration changes that alter system behavior, add functionality, or modify security controls typically require change management. Organizations should define this boundary clearly in their procedures, and when in doubt, treat activities as changes requiring additional oversight.

How do we protect CUI when a system needs off-site maintenance or repair?

Before sending systems off-site for maintenance, organizations must sanitize or remove all CUI, document the sanitization process, and verify CUI removal. If sanitization is not possible, maintenance must be performed on-site with appropriate oversight, or the system must be replaced rather than repaired. Vendor contracts should address these requirements and specify acceptable maintenance locations and procedures.

What should we do if emergency maintenance is needed outside our normal procedures?

Organizations should have documented emergency maintenance procedures that allow necessary work while maintaining security. At minimum, emergency maintenance should require immediate notification to security personnel, documentation of the emergency and actions taken, post-facto approval or review, and verification that security controls remain effective. Emergency procedures should not completely bypass security requirements but rather provide an expedited path with appropriate oversight.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.