The Maintenance Domain: servicing systems without compromising the environment

What the Maintenance Domain Is For

The Maintenance domain addresses the set of activities through which systems are kept operational: repairs, updates, patches, diagnostics, and vendor servicing. The six requirements treat maintenance as a distinct security concern because the act of servicing a system introduces temporary conditions under which the normal protections may be relaxed. Maintenance windows grant access that would otherwise be restricted. Diagnostic tools carry executable code into the environment. Off-site repairs remove equipment that may contain CUI. Remote maintenance sessions reach across the boundary from systems the organization does not fully control.

For defense contractors in manufacturing environments, the MA domain carries additional operational complexity because specialized equipment vendors often have long-established expectations about remote access, diagnostic procedures, and maintenance personnel that predate the CMMC requirements. A CNC equipment vendor who has maintained a remote dial-in capability for twenty years will not immediately understand why that pathway requires multi-factor authentication, managed routing, and session termination under CMMC Level 2. The MA domain is where practitioner work frequently involves translating vendor maintenance norms into CMMC-compliant operational patterns.

The practitioner reading of MA is that it protects against an often overlooked attack surface. Most compliance attention goes to access control, authentication, and monitoring, which are the primary defenses against external threats. Maintenance is the defense against attacks or errors introduced through the legitimate servicing pathways that every environment requires. The domain is small, but its failure modes are specific and consequential.

The Structure of the 6 Controls

The six MA requirements organize into two clusters that reflect different concerns within the domain.

The first cluster covers maintenance control and authorization. These three controls (3.7.1, 3.7.2, and 3.7.6) establish the operational framework for maintenance activity: that maintenance is performed, that it is controlled, and that personnel without required access authorization are supervised when they perform maintenance. This cluster addresses the administrative dimension of the domain.

The second cluster covers boundary protection during maintenance. These three controls (3.7.3, 3.7.4, and 3.7.5) address the specific conditions under which maintenance introduces risk: equipment leaving the boundary for off-site repair, diagnostic media entering the boundary, and remote maintenance sessions crossing the boundary. This cluster addresses the technical dimension of the domain and is where most implementation complexity concentrates.

The first cluster establishes the operational framework for how maintenance is performed, who performs it, and how personnel without required access authorization are managed during maintenance activity.

MA.L2-3.7.1Perform Maintenance

Maintenance must be performed on organizational systems. The control establishes the baseline obligation that maintenance activity happens and is recorded. The assessable evidence includes maintenance logs, records of scheduled maintenance, and evidence that maintenance has actually occurred on the systems in the CMMC assessment scope. The control is often treated as trivial because every organization performs some level of maintenance, but the 3.7.1 standard requires documented evidence that maintenance is part of the operational discipline rather than an ad hoc response to problems.

MA.L2-3.7.2System Maintenance Control

Controls must be provided on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. The control has four subjects that must each be governed. Tools means the hardware and software used during maintenance. Techniques means the methods applied. Mechanisms means the pathways through which maintenance occurs. Personnel means the individuals who perform the work. Each of these must be controlled, which in practice means documented, approved, and restricted to what the maintenance activity actually requires. A vendor engineer using unauthorized diagnostic software during a service call violates this control even if the engineer's physical presence was authorized.

MA.L2-3.7.6Maintenance Personnel

Maintenance activities of personnel without required access authorization must be supervised. The control addresses the common situation in which maintenance requires personnel (often vendor technicians) who are not cleared or authorized for the normal access the systems contain. The standard is supervision rather than exclusion. An unauthorized technician can perform maintenance, but only under the observation of a person who does hold the necessary authorization. The supervision must be active. A staff member who signs in the technician and then leaves them unattended in the server room has not satisfied the control. In manufacturing environments, this control interacts tightly with physical access and with the Secure Area strategy for environments where equipment cannot implement full IT security controls.

The second cluster addresses the specific conditions under which maintenance activity crosses the CMMC boundary. Equipment leaving for repair, diagnostic media entering the environment, and remote sessions reaching across the network perimeter each carry distinct risks that the domain addresses individually.

MA.L2-3.7.3Equipment Sanitization

Equipment removed for off-site maintenance must be sanitized of any CUI. The control addresses the scenario in which hardware is sent to a vendor or service center for repair, potentially with CUI still present on storage media. The sanitization must meet the standards appropriate to the sensitivity of the data, and the evidence must show that sanitization occurred before the equipment left organizational control. This control interacts directly with the Media Protection domain, which governs the sanitization standards and media handling procedures that MA inherits for off-site maintenance scenarios.

MA.L2-3.7.4Media Inspection

Media containing diagnostic and test programs must be checked for malicious code before the media are used in organizational systems. The control addresses the vendor technician who arrives with a USB drive containing diagnostic utilities, or the service DVD that is inserted into a system during a maintenance call. The media inspection requirement is not satisfied by trusting the vendor. It requires active scanning of the media before it is used, typically through a dedicated workstation or inspection process that is separate from the production environment. In manufacturing environments, this control frequently applies to OEM diagnostic tools that vendors bring during service visits.

MA.L2-3.7.5Nonlocal Maintenance

Multi-factor authentication must be required to establish nonlocal maintenance sessions via external network connections, and such connections must be terminated when nonlocal maintenance is complete. Nonlocal maintenance is any maintenance activity conducted over a network connection from outside the physical boundary. The MFA requirement echoes the IA.L2-3.5.3 obligation, and the termination requirement addresses the common failure mode in which remote maintenance connections persist long after the maintenance itself has ended. The control intersects tightly with the Access Control remote access controls and with the Identification and Authentication MFA requirements. Implementations that satisfy 3.5.3 for user authentication often miss the nonlocal maintenance path because maintenance connections historically used specialized protocols that did not support MFA natively.

Where Maintenance Intersects with Other Domains

Maintenance activity crosses several other domains because it combines access, authentication, media handling, and change management into a single operational context.

Access Control governs the authorization that maintenance personnel operate under. The AC.3.1.12 through AC.3.1.15 controls on remote access apply directly to nonlocal maintenance, and the 3.7.5 MFA requirement is the maintenance-specific echo of the IA.3.5.3 MFA requirement that AC enforces.

Identification and Authentication provides the authentication mechanisms that 3.7.5 requires for nonlocal maintenance. The MFA deployment decisions made for general network access need to extend to maintenance connections, which is where many contractors find coverage gaps.

Media Protection governs the sanitization standards that 3.7.3 inherits for off-site equipment, and the media handling procedures that 3.7.4 relies on for diagnostic media inspection. A weak MP implementation produces MA findings because the maintenance controls depend on MP discipline for their evidence.

Personnel Security is the upstream source of the authorization status that 3.7.6 depends on. The supervision requirement for unauthorized maintenance personnel assumes the organization knows which maintenance personnel hold authorization and which do not, which is a PS determination.

Physical Protection provides the environmental controls under which on-site maintenance occurs. Badging, escort procedures, and physical access restrictions during maintenance are PE obligations that MA depends on. The supervision requirement in 3.7.6 is operationally a PE activity as much as it is an MA activity.

Configuration Management tracks the changes that maintenance activity introduces. Patches, firmware updates, and configuration adjustments performed during maintenance are CM events, and the change management process must account for maintenance-driven changes as well as planned ones.

Common Implementation Pitfalls

Several patterns come up repeatedly in Maintenance readiness work.

Vendor remote access that predates current policy. Specialized equipment vendors often have remote access capabilities that were established years before CMMC requirements existed. The access works, the vendor relies on it, and no one has updated it to include MFA, managed routing, or session termination. When the 3.7.5 requirement is evaluated, the vendor pathway is typically the area where findings concentrate. Remediation frequently requires vendor cooperation, which takes time to secure.

Supervision that exists in name but not in practice. The policy says maintenance personnel without authorization are supervised. The actual practice involves a staff member signing the technician in and then attending to other work. Assessors evaluate whether the supervision is substantive. A technician who is alone in a server room, even for a short period, is not being supervised.

Diagnostic media accepted from vendors without inspection. The technician arrives with a USB drive or a service DVD, and the diagnostic tools are used directly on production systems. The 3.7.4 requirement calls for inspection before use, which means the organization needs an inspection mechanism and a policy that requires it. Many contractors discover during readiness work that no such mechanism exists.

Off-site repairs with CUI still on the device. A failed hard drive from a workstation or server is sent to a vendor for warranty replacement with no sanitization. The 3.7.3 requirement is not satisfied, and the CUI on the drive has left organizational control without the required sanitization. Remediation requires a pre-shipment sanitization procedure that is actually followed, not just documented.

Nonlocal maintenance sessions that persist indefinitely. A vendor establishes a maintenance session, completes the work, and the session remains open. The 3.7.5 termination requirement is clear, but the enforcement is often manual and depends on someone remembering to close the session. Technical enforcement through session timeout or explicit termination workflows addresses this more reliably than policy.

Maintenance activity not reflected in audit logs. The maintenance happens, but the audit trail does not capture it as distinctly as it captures other activity. When a subsequent investigation needs to determine what occurred during a maintenance window, the audit trail cannot distinguish maintenance actions from other administrative activity. Maintenance-specific logging, or at least maintenance-window tagging in audit records, addresses this.

Where to Start

For an organization new to the MA domain, the first work is the maintenance inventory.

The foundational deliverable is a list of all maintenance activities that occur in the environment: vendor service visits, remote maintenance sessions, patching cycles, diagnostic procedures, and warranty repairs. The inventory must cover both routine scheduled maintenance and reactive maintenance triggered by failures. Without this inventory, the controls in the domain cannot be applied systematically because the scope of maintenance activity is not known.

The second deliverable is the vendor maintenance review. For each vendor that performs maintenance in the environment, the organization needs to understand the access pathway (physical or remote), the personnel involved (authorized or supervised), the tools and media used, and the session management after maintenance completes. The review frequently reveals pathways that were established informally and need to be brought into the formal maintenance framework.

The third deliverable is the nonlocal maintenance MFA implementation. This is typically the area where the most technical work is required, because remote maintenance pathways historically used protocols and authentication mechanisms that did not include MFA. Extending the MFA infrastructure from user authentication to maintenance authentication often requires coordination with the vendors whose tools and protocols are involved.

With the inventory, vendor review, and MFA implementation in place, the remaining MA controls become documentation and operational discipline rather than new capability. The assessment evidence follows from the operational reality that the three foundational deliverables establish.