NIST 800-171 • LEVEL 2 • MAINTENANCE
3.7.4 — Maintenance Tools
Approve, control, and monitor the use of system maintenance tools. Check media with diagnostic and test programs for malicious code before it is used in the system. Prevent the removal of system maintenance equipment containing CUI by verifying that there is no CUI on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- the use of system maintenance tools is approved.
- the use of system maintenance tools is controlled.
- the use of system maintenance tools is monitored.
- media with diagnostic and test programs are checked for malicious code before the media are used in the system.
- the removal of system maintenance equipment containing CUI is prevented by verifying that there is no CUI on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility.
Practitioner Notes
This practice goes a step further than 3.7.2 — you need to actively approve, control, and monitor maintenance tools, and scan any media used for diagnostics before plugging it in.
Example 1: Before using a vendor-supplied diagnostic USB drive, scan it with your endpoint protection tool (e.g., Microsoft Defender for Endpoint, CrowdStrike Falcon, or Trellix ENS) on a standalone, non-production workstation. Document the scan results before allowing the media onto any production system.
Example 2: Create a Group Policy Object (GPO) under Computer Configuration > Administrative Templates > System > Removable Storage Access to deny all removable storage by default. Only grant exceptions to specific maintenance workstations where approved diagnostic tools are used under supervision.