MA.L2-3.7.2 — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

What this control requires

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Source: CMMC L2 v2.13 MA.L2-3.7.2 / NIST SP 800-171 R2 3.7.2 (official control text).

Why this matters

Maintenance activities—whether performed by internal IT staff, managed service providers, or equipment vendors—create privileged access windows where malicious code can be introduced, unauthorized changes can be made, or sensitive data can be exfiltrated. This control requires organizations to establish approval workflows, technical safeguards, and monitoring protocols for any tool or person performing diagnostics, updates, or repairs on systems handling CUI. Without these controls, a compromised USB drive, infected diagnostic laptop, or malicious technician could bypass perimeter defenses entirely. The requirement extends beyond your network boundary to cover vendor-supplied tools, remote access sessions, and even firmware utilities that might carry persistent threats.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, log file. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls