Requirement text: MA.2.112: Provide controls on the tools, techniques, mechanisms, and personnel
used to conduct system maintenance.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement addresses security-related issues with maintenance tools that are not
within the organizational system boundaries that process, store, or transmit CUI, but are
used specifically for diagnostic and repair actions on those systems. Organizations have
flexibility in determining the controls in place for maintenance tools, but can include
approving, controlling, and monitoring the use of such tools. Maintenance tools are potential
vehicles for transporting malicious code, either intentionally or unintentionally, into a
facility and into organizational systems. Maintenance tools can include hardware, software,
and firmware items, for example, hardware and software diagnostic test equipment and
hardware and software packet sniffers.
CMMC CLARIFICATION
Protect the tools used to perform maintenance. They must remain secure so they don’t
introduce software viruses or other bugs into your system. Protect your maintenance
processes so they aren’t used to hurt your network. Supervise the people responsible for
maintenance activities. Make sure they don’t behave in a malicious manner.
Example
You are responsible for maintenance activities on your company’s machines. These activities
can introduce software viruses or bugs into your system. To prevent this, make sure your
maintenance tools protect from unauthorized access. Also, confirm that your organization
manages or supervises everyone assigned to perform maintenance.
References
• NIST SP 800-171 Rev 1 3.7.2
• NIST CSF v1.2 PR.MA-1
• CERT RMM v1.2 TM:SG5.SP2
• NIST SP 800-53 Rev 4 MA-3