MA.L2-3.7.2 · NIST SP 800-171 3.7.2

System Maintenance Control

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

5 points if not metMust be fully met, cannot POA&M4 assessment objectives

What an assessor scores, the objectives

MA.L2-3.7.2 is met only when every one of these 4 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.tools used to conduct system maintenance are controlled
  • b.techniques used to conduct system maintenance are controlled
  • c.mechanisms used to conduct system maintenance are controlled
  • d.personnel used to conduct system maintenance are controlled

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For MA.L2-3.7.2, an assessor uses these:

Examine

System maintenance policy; procedures addressing system maintenance tools and media; maintenance records; system maintenance tools and associated documentation; maintenance tool inspection records; system security plan; other relevant documents or records

Interview

Personnel with system maintenance responsibilities; personnel with information security responsibilities

Test

Organizational processes for approving, controlling, and monitoring maintenance tools; mechanisms supporting or implementing approval, control, and monitoring of maintenance tools; organizational processes for inspecting maintenance tools; mechanisms supporting or implementing inspection of maintenance tools; organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance

What it means, in context

This requirement addresses security -related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.

Tools used to perform maintenance must remain secure so they do not introduce viruses or other malware into your system. Controlling your maintenance techniques prevents intentional or unintentional harm to your network and systems. Additionally, the personnel responsible for maintenance activities should be supervised considering their elevated privilege on company assets. Example You are responsible for maintenance activities on your company ’s machines. To avoid introducing additional vulnerability into the systems you are maintaining, you make sure that all maintenance tools are approved and their usage is monitored and controlled [a,b]. You ensure the tools are kept current and up -to-date [a]. You and your backup are the only people authorized to use these tools and perform system maintenance [d]. Potential Assessment Considerations • Are physical or logical access controls used to limit access to maintenance tools to authorized personnel [a]? • Are physical or logical access controls used to limit access to system documentation and organizational maintenance process documentation to authorized personnel [b]? • Are physical or logical access controls used to limit access to automated mechanisms (e.g., automated scripts, scheduled jobs) to authorized personnel [c]? • Are physical or logical access controls used to limit access to the system entry points that enable maintenance (e.g., administrative portals, local and remote console access, and physical equipment panels) to authorized personnel [d]?

What passing evidence looks like

The rule set for maintenance tools and personnel (what tools may be used, who controls them, how remote vendor tools are supervised) plus the controls in force.

Common ways contractors fail MA.L2-3.7.2

  • !Five point requirement about controlling the tools, techniques, and personnel doing maintenance. The MSP's remote agent is a maintenance tool, name it, name who approves its use, and show its access is controlled.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove MA.L2-3.7.2, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

MA.L2-3.7.2 questions, answered

How many points is CMMC requirement MA.L2-3.7.2 worth?+

MA.L2-3.7.2 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can MA.L2-3.7.2 be placed on a POA&M?+

No. MA.L2-3.7.2 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does MA.L2-3.7.2 belong to?+

MA.L2-3.7.2 is in the Maintenance (MA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.7.2