CMMC Level 2 Implementation Guide July 3, 2026 · 9 min read

How to Implement CMMC Level 2 Maintenance (MA) Requirements

The Maintenance domain covers something IT teams do constantly but rarely document formally: who is allowed to work on your systems, how remote support sessions are conducted, what happens when equipment leaves the building, and how you verify that maintenance tools are not themselves a threat. Six practices, but real teeth if any of them are missing during assessment.

What the MA Domain Is Really About

IT does maintenance every day. CMMC just wants you to have written it down, authorized who can do it, and not let a vendor remote in unsupervised.

The MA domain does not require elaborate new processes for most organizations. What it requires is that existing maintenance activities are authorized, documented, and controlled. The most common gaps are: no formal maintenance log, no policy on who can perform maintenance, and vendor remote access sessions with no MFA and no supervision.

The domain also has an underappreciated scope question. Maintenance includes routine patching and updates, hardware repairs, system configuration changes, and any other work performed on organizational systems in the CUI boundary. If a vendor technician remote-desktops into a server to apply a firmware update, that is a nonlocal maintenance session subject to 3.7.5. Most organizations that have been allowing this without MFA and without session monitoring have a finding they did not know about.

Scope note: MA requirements apply to systems within your CUI boundary. If a system does not process, store, or transmit CUI and is not connected to systems that do, it falls outside scope. Clearly defining your system boundary (in the SSP) determines where MA controls apply.

Practice-by-Practice Breakdown

3.7.1

Perform maintenance on organizational systems

This practice establishes the baseline: perform maintenance in a controlled and documented manner. It sounds obvious, but the documentation requirement is where most organizations fall short.

Common mistake: Performing maintenance consistently but with no documentation. If the sysadmin patches every month but there is no ticket, no log entry, and no record, the assessor cannot verify that maintenance occurred. Unverified maintenance equals unverified compliance.

3.7.2

Control maintenance tools and authorized maintenance personnel

Not everyone should be allowed to perform maintenance on CUI systems, and not every tool brought in for maintenance is safe to use. 3.7.2 requires controlling both.

Common mistake: Allowing vendors to bring their own laptops with their own tools and connect to CUI systems without any review or approval. A vendor's maintenance laptop is an unmanaged endpoint that could carry malware, exfiltration tools, or unauthorized remote access software. At minimum, verify what tools a vendor is using before they connect to your systems.

3.7.3

Sanitize equipment removed for offsite maintenance

The hard drive that left with the vendor for repair and came back six months later with no chain-of-custody record is a story every IT team has. 3.7.3 is how you stop telling it.

When equipment containing CUI must leave your facility for maintenance, it must be sanitized first. If sanitization would prevent the maintenance from being performed, additional controls apply.

Common mistake: Sending equipment offsite for repair without removing the hard drive or documenting the transfer. A laptop with CUI-adjacent data sent to a repair depot with no documentation is a potential data exposure, not just a compliance gap.

3.7.4

Check media containing diagnostic programs for malicious code

Before using any media that contains diagnostic or test programs for maintenance, check it for malicious code. This targets a specific supply chain attack vector: maintenance tools that have been compromised.

Common mistake: Treating this practice as theoretical. Compromised maintenance tools are a real attack vector, both through supply chain compromise of legitimate tools and through social engineering of maintenance personnel. The control is simple: scan before use. The documentation is what makes it auditable.

3.7.5

Require MFA for remote maintenance and terminate sessions when complete

This is the practice most likely to require active remediation. Remote maintenance sessions on in-scope systems must use MFA and encrypted communications, and sessions must be terminated when maintenance is complete.

Common mistake: Allowing vendors to install persistent remote access agents on servers with no MFA and no session logging, on the reasoning that "they need to be able to get in quickly." Convenience and compliance point in opposite directions on this one. Persistent, unattended remote access without MFA is a finding under 3.7.5 and a significant security risk independently of the compliance question.

3.7.6

Supervise maintenance activities of personnel without required access authorization

If a maintenance technician does not have independent authorization to access your CUI systems (meaning they have not been screened and authorized as an internal employee would be), their maintenance activities must be supervised by someone who does.

Common mistake: Giving a vendor a VPN credential and walking away. "We trust them, they've worked with us for years" does not satisfy 3.7.6. The requirement is supervision, not trust. An assessor will ask how vendor remote sessions are monitored, and "we don't monitor them" is a finding regardless of the vendor relationship.

Building a Compliant Maintenance Program

The practical steps to get MA into assessment shape:

ActionSatisfiesTool / Method
Maintenance log3.7.1Any ticketing system; SharePoint list; dedicated CMMS
Authorized personnel list3.7.2Document in policy; review annually
Equipment removal log3.7.3Chain-of-custody form; asset management system
Tool scanning procedure3.7.4Endpoint AV scan before use; documented in maintenance log
MFA for remote access3.7.5Entra ID / Okta MFA on VPN; Duo for RDP; session termination policy
Vendor supervision log3.7.6Note supervisor name and session time in maintenance ticket

Quick win: If your organization uses an MSP, review how they access your systems today. Persistent remote access agents without per-session MFA are the most common MA finding for MSP-managed clients. Switching to session-based access with MFA (most RMM platforms support this) resolves 3.7.5 and significantly reduces your attack surface.

Need the Policy Document?

Our CMMC Level 2 Maintenance Policy template covers all 6 MA practices in formal policy language. Includes maintenance authorization procedures, remote session requirements, equipment removal controls, and vendor supervision requirements. Editable .docx, ready to customize in under an hour.

Download the MA Policy Template →

Frequently Asked Questions

Nonlocal maintenance refers to maintenance performed remotely through a remote desktop connection, VPN, SSH session, or any remote access method. Practice 3.7.5 requires that nonlocal maintenance sessions use MFA and encrypted communications, and that sessions are terminated when maintenance is complete. This applies to vendor remote support sessions as well as internal IT remote administration.
Yes. Practice 3.7.6 requires supervising maintenance activities of personnel without the required access authorization. If a vendor or MSP technician accesses your CUI systems for maintenance and does not have their own CMMC authorization, you must supervise their activities. An authorized employee must monitor the session in real time. Giving a vendor a VPN credential and stepping away is not compliant.
Maintenance tools include diagnostic software, port scanners, password recovery tools, remote access software, and any software brought in by a vendor for maintenance purposes. Under 3.7.2, these must be approved and controlled. Under 3.7.4, media containing diagnostic programs must be scanned for malicious code before use on in-scope systems.
Practice 3.7.3 requires sanitizing equipment removed for offsite maintenance to remove all CUI before it leaves your facility. If sanitization is not possible, document the exception, maintain chain-of-custody records, and ensure the vendor is an authorized handler. When equipment returns, verify it has not been altered before reconnecting it to your network.
NIST SP 800-171 does not specify a review frequency for maintenance records. Best practice is to review maintenance logs monthly as part of operational security reviews and retain records for at least one year. Your policy should define the retention period, and you will be held to whatever you document.

More CMMC Implementation Guides

💾Media Protection (MP)Read → 👥Personnel Security (PS)Read → 🏠Physical Protection (PE)Read → 🔒Access Controls (AC)Read → 🚨Incident Response (IR)Read → How to Pass a CMMC AssessmentRead →
📫

Get the Free CMMC Level 2 Practice Checklist

No spam. Practical guidance on CMMC compliance and new resources when we publish them.