CMMC Level 2Implementation GuideJuly 3, 2026· 9 min read
How to Implement CMMC Level 2 Maintenance (MA) Requirements
The Maintenance domain covers something IT teams do constantly but rarely document formally: who is allowed to work on your systems, how remote support sessions are conducted, what happens when equipment leaves the building, and how you verify that maintenance tools are not themselves a threat. Six practices, but real teeth if any of them are missing during assessment.
What the MA Domain Is Really About
IT does maintenance every day. CMMC just wants you to have written it down, authorized who can do it, and not let a vendor remote in unsupervised.
The MA domain does not require elaborate new processes for most organizations. What it requires is that existing maintenance activities are authorized, documented, and controlled. The most common gaps are: no formal maintenance log, no policy on who can perform maintenance, and vendor remote access sessions with no MFA and no supervision.
The domain also has an underappreciated scope question. Maintenance includes routine patching and updates, hardware repairs, system configuration changes, and any other work performed on organizational systems in the CUI boundary. If a vendor technician remote-desktops into a server to apply a firmware update, that is a nonlocal maintenance session subject to 3.7.5. Most organizations that have been allowing this without MFA and without session monitoring have a finding they did not know about.
Scope note: MA requirements apply to systems within your CUI boundary. If a system does not process, store, or transmit CUI and is not connected to systems that do, it falls outside scope. Clearly defining your system boundary (in the SSP) determines where MA controls apply.
Practice-by-Practice Breakdown
3.7.1
Perform maintenance on organizational systems
This practice establishes the baseline: perform maintenance in a controlled and documented manner. It sounds obvious, but the documentation requirement is where most organizations fall short.
Maintain a maintenance log for all in-scope systems. The log should record: the date of maintenance, the system worked on, the nature of the maintenance performed, who performed it, and whether the work was completed or has open items
A ticketing system (ServiceNow, Jira Service Management, Freshservice, or even a SharePoint list) satisfies this requirement if maintenance activities are consistently logged there
Schedule and perform routine maintenance: patching cycles, hardware inspections, firmware updates, and system configuration reviews. The practice does not specify frequency, but documented monthly patch cycles are the baseline expectation
Approved maintenance schedules and change management records serve as evidence that maintenance is performed in a controlled manner, not ad hoc
Common mistake: Performing maintenance consistently but with no documentation. If the sysadmin patches every month but there is no ticket, no log entry, and no record, the assessor cannot verify that maintenance occurred. Unverified maintenance equals unverified compliance.
3.7.2
Control maintenance tools and authorized maintenance personnel
Not everyone should be allowed to perform maintenance on CUI systems, and not every tool brought in for maintenance is safe to use. 3.7.2 requires controlling both.
Maintain an authorized maintenance personnel list: the individuals (internal and external) who are permitted to perform maintenance on in-scope systems. This should be documented and reviewed periodically
Control maintenance tools: tools used for system maintenance (diagnostic software, remote access utilities, network scanners, configuration management tools) should be approved and inventoried. Unapproved tools brought in by vendors or contractors should not be used without authorization
When a vendor or contractor performs maintenance, verify their identity before granting access and confirm they are using approved tools and methods
Include maintenance tool controls in your policy: what tools are approved, who approves exceptions, and how tool use is logged
Common mistake: Allowing vendors to bring their own laptops with their own tools and connect to CUI systems without any review or approval. A vendor's maintenance laptop is an unmanaged endpoint that could carry malware, exfiltration tools, or unauthorized remote access software. At minimum, verify what tools a vendor is using before they connect to your systems.
3.7.3
Sanitize equipment removed for offsite maintenance
The hard drive that left with the vendor for repair and came back six months later with no chain-of-custody record is a story every IT team has. 3.7.3 is how you stop telling it.
When equipment containing CUI must leave your facility for maintenance, it must be sanitized first. If sanitization would prevent the maintenance from being performed, additional controls apply.
Before equipment leaves your facility, remove or sanitize CUI from the device. For hard drives, this means NIST SP 800-88 compliant wiping or removal of the drive entirely before the device goes out
If sanitization is not possible without compromising the purpose of the maintenance (e.g., the hard drive is the failing component that needs to be diagnosed), document the exception, obtain management approval, and ensure the vendor is a trusted, authorized handler
Maintain a chain-of-custody record for all equipment removed for maintenance: what was removed, when, who took it, where it went, and when it returned
When equipment returns, inspect it before reconnecting to the network. Verify the device has not been altered and scan for malware before returning it to service
Common mistake: Sending equipment offsite for repair without removing the hard drive or documenting the transfer. A laptop with CUI-adjacent data sent to a repair depot with no documentation is a potential data exposure, not just a compliance gap.
3.7.4
Check media containing diagnostic programs for malicious code
Before using any media that contains diagnostic or test programs for maintenance, check it for malicious code. This targets a specific supply chain attack vector: maintenance tools that have been compromised.
Any USB drive, CD, DVD, or downloaded software used for system maintenance or diagnostics should be scanned with your endpoint protection tool before use on in-scope systems
For vendor-provided tools, require that the vendor attest that their tools have been scanned and are free of malicious code before they use them on your systems
Prefer downloading diagnostic tools directly from vendor websites over accepting media from a technician, which reduces the risk of a compromised physical medium
Document this check: maintenance logs should note whether tools were scanned and cleared before use
Common mistake: Treating this practice as theoretical. Compromised maintenance tools are a real attack vector, both through supply chain compromise of legitimate tools and through social engineering of maintenance personnel. The control is simple: scan before use. The documentation is what makes it auditable.
3.7.5
Require MFA for remote maintenance and terminate sessions when complete
This is the practice most likely to require active remediation. Remote maintenance sessions on in-scope systems must use MFA and encrypted communications, and sessions must be terminated when maintenance is complete.
MFA for remote maintenance means the same MFA requirement as remote user access: the maintenance technician must authenticate with at least two factors before being granted remote access. A VPN with MFA, followed by RDP to a server, satisfies this if both the VPN and the RDP session require separate authentication
Encrypted communications: RDP over TLS, SSH, or VPN tunnels all provide encrypted transport. Unencrypted remote desktop over plain HTTP or Telnet does not satisfy this requirement (and should not exist on any system in 2026)
Session termination: when maintenance is complete, the remote session must be disconnected and the access revoked, not left open "in case we need to get back in." Persistent remote access tools left active after maintenance is complete are a finding
For vendor remote support sessions specifically: if the vendor uses a remote support tool (TeamViewer, ConnectWise Control, Splashtop), ensure those sessions require MFA on the vendor's side, use encrypted transport, and are terminated at the end of each maintenance event. Session-by-session access, not persistent unattended access, is the compliant model
Common mistake: Allowing vendors to install persistent remote access agents on servers with no MFA and no session logging, on the reasoning that "they need to be able to get in quickly." Convenience and compliance point in opposite directions on this one. Persistent, unattended remote access without MFA is a finding under 3.7.5 and a significant security risk independently of the compliance question.
3.7.6
Supervise maintenance activities of personnel without required access authorization
If a maintenance technician does not have independent authorization to access your CUI systems (meaning they have not been screened and authorized as an internal employee would be), their maintenance activities must be supervised by someone who does.
External vendors, contractors, and break-fix technicians typically fall into this category. They are performing maintenance on your systems but are not part of your organizational access control program
Supervision means active oversight: an authorized employee monitoring the maintenance session in real time, not just being in the building. For remote sessions, this means watching the remote desktop session. For on-site maintenance, this means an authorized employee physically present and observing the work
Document supervision: maintenance logs should note who supervised external maintenance activities and the duration of the supervised session
If supervision is not feasible for a specific maintenance event, document why, obtain management approval for the exception, and implement compensating controls (session recording, access limited to a specific maintenance window with automatic termination)
Common mistake: Giving a vendor a VPN credential and walking away. "We trust them, they've worked with us for years" does not satisfy 3.7.6. The requirement is supervision, not trust. An assessor will ask how vendor remote sessions are monitored, and "we don't monitor them" is a finding regardless of the vendor relationship.
Building a Compliant Maintenance Program
The practical steps to get MA into assessment shape:
Action
Satisfies
Tool / Method
Maintenance log
3.7.1
Any ticketing system; SharePoint list; dedicated CMMS
Authorized personnel list
3.7.2
Document in policy; review annually
Equipment removal log
3.7.3
Chain-of-custody form; asset management system
Tool scanning procedure
3.7.4
Endpoint AV scan before use; documented in maintenance log
MFA for remote access
3.7.5
Entra ID / Okta MFA on VPN; Duo for RDP; session termination policy
Vendor supervision log
3.7.6
Note supervisor name and session time in maintenance ticket
Quick win: If your organization uses an MSP, review how they access your systems today. Persistent remote access agents without per-session MFA are the most common MA finding for MSP-managed clients. Switching to session-based access with MFA (most RMM platforms support this) resolves 3.7.5 and significantly reduces your attack surface.
Need the Policy Document?
Our CMMC Level 2 Maintenance Policy template covers all 6 MA practices in formal policy language. Includes maintenance authorization procedures, remote session requirements, equipment removal controls, and vendor supervision requirements. Editable .docx, ready to customize in under an hour.
Nonlocal maintenance refers to maintenance performed remotely through a remote desktop connection, VPN, SSH session, or any remote access method. Practice 3.7.5 requires that nonlocal maintenance sessions use MFA and encrypted communications, and that sessions are terminated when maintenance is complete. This applies to vendor remote support sessions as well as internal IT remote administration.
Yes. Practice 3.7.6 requires supervising maintenance activities of personnel without the required access authorization. If a vendor or MSP technician accesses your CUI systems for maintenance and does not have their own CMMC authorization, you must supervise their activities. An authorized employee must monitor the session in real time. Giving a vendor a VPN credential and stepping away is not compliant.
Maintenance tools include diagnostic software, port scanners, password recovery tools, remote access software, and any software brought in by a vendor for maintenance purposes. Under 3.7.2, these must be approved and controlled. Under 3.7.4, media containing diagnostic programs must be scanned for malicious code before use on in-scope systems.
Practice 3.7.3 requires sanitizing equipment removed for offsite maintenance to remove all CUI before it leaves your facility. If sanitization is not possible, document the exception, maintain chain-of-custody records, and ensure the vendor is an authorized handler. When equipment returns, verify it has not been altered before reconnecting it to your network.
NIST SP 800-171 does not specify a review frequency for maintenance records. Best practice is to review maintenance logs monthly as part of operational security reviews and retain records for at least one year. Your policy should define the retention period, and you will be held to whatever you document.