03.07.02 —
What this control requires
Source: NIST SP 800-171 R3 §03.07.02 (official control text).
Why this matters
Maintenance and repair activities create windows of vulnerability when systems are offline, physically accessible, or connected to external diagnostic equipment. Unauthorized or poorly documented maintenance can introduce malware, leave backdoors open, or compromise system integrity. This control ensures that all maintenance—whether performed by internal staff or third-party vendors—follows a documented approval process, occurs under appropriate supervision, and uses only authorized tools and procedures. It protects against both intentional sabotage and accidental misconfiguration during maintenance windows.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, photo. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.07.02.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →