Perform Maintenance
Perform maintenance on organizational systems.
What an assessor scores, the objectives
MA.L2-3.7.1 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.system maintenance is performed
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For MA.L2-3.7.1, an assessor uses these:
System maintenance policy; procedures addressing controlled system maintenance; maintenance records; manufacturer or vendor maintenance specifications; equipment sanitiz ation records; media sanitization records; system security plan; other relevant documents or records
Personnel with system maintenance responsibilities; personnel with information security responsibilities; personnel responsible for media sanitization; system or network administrators
Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for systems; organizational processes for sanitizing system components; mechanisms supporting or implementing controlled maintenance; mechanisms implementing sanitization of system components
What it means, in context
This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers.
One common form of computer security maintenance is regular patching of discovered vulnerabilities in software and operating systems, though there are others that require attention. System maintenance includes: • corrective maintenance (e.g., repairing problems with the technology); • preventative maintenance (e.g., updates to prevent potential problems); • adaptive maintenance (e.g., changes to the operative environment); and • perfective maintenance (e.g., improve operations). Example You are responsible for maintenance activities on your company ’s machines. This includes regular planned maintenance, unscheduled maintenance, reconfigurations when requ ired, and damage repairs [a]. You know that failing to conduct maintenance activities can impact system security and availability, so you ensure that maintenance is regularly performed. You track all maintenance performed to assist with troubleshooting later if needed. Potential Assessment Considerations • Are systems, devices, and supporting systems maintained per manufacturer recommendations or company defined schedules [a]?
What passing evidence looks like
The maintenance record showing systems are actually maintained: patch schedules, hardware service events, firmware updates, dated.
Common ways contractors fail MA.L2-3.7.1
- !For cloud heavy shops most platform maintenance is inherited; your devices and network gear still need the record. A simple maintenance log with the last patch cycles satisfies it.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove MA.L2-3.7.1, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
MA.L2-3.7.1 questions, answered
How many points is CMMC requirement MA.L2-3.7.1 worth?+
MA.L2-3.7.1 is worth 3 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 3 from your total of 110.
Can MA.L2-3.7.1 be placed on a POA&M?+
No. MA.L2-3.7.1 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does MA.L2-3.7.1 belong to?+
MA.L2-3.7.1 is in the Maintenance (MA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.7.1