NIST 800-171 • LEVEL 2 • MAINTENANCE

3.7.1Perform Maintenance on Organizational Systems

Perform maintenance on organizational systems.

CMMC Practice Mapping

NIST 800-53 Controls

MA-2

Assessment Objectives

Assessment objectives not available for this requirement.

Practitioner Notes

This one sounds simple, but it trips people up because it is really about documenting your maintenance, not just doing it. An assessor wants to see that you have a schedule, you follow it, and you keep records of what was done, when, and by whom.

Example 1: Use a ticketing system like Jira, ConnectWise, or even a shared spreadsheet to log every maintenance action — Windows updates applied via WSUS or Intune, firmware updates on firewalls, drive replacements, etc. Each entry should capture the date, the technician, and what was done.

Example 2: Set up a recurring maintenance calendar in your IT department. For example, configure Microsoft Endpoint Configuration Manager (MECM/SCCM) to deploy patches on a defined monthly cycle, and retain the deployment reports as your maintenance records.

Related NIST 800-171 Requirements

3.7.2 Provide Controls on the Tools, Techniques, Mechanisms, and Personnel Used to Conduct System Maintenance 3.7.3 Ensure Equipment Removed for Off-Site Maintenance Is Sanitized of Any CUI 3.7.4 Maintenance Tools 3.7.5 Nonlocal Maintenance