NIST 800-53 REV 5 • MAINTENANCE

MA-4(1)Logging and Review

Log {{ insert: param, ma-4.1_prm_1 }} for nonlocal maintenance and diagnostic sessions; and Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Audit logging for nonlocal maintenance is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a).

Practitioner Notes

All nonlocal (remote) maintenance sessions need to be logged, and those logs need to be reviewed for anything unusual. This gives you an audit trail and helps detect unauthorized activity during maintenance windows.

Example 1: Configure your VPN and remote access tools to log all session details: who connected, when, from where, what systems they accessed, and session duration. Forward these logs to your SIEM (Splunk, Sentinel) and create an alert for sessions outside approved maintenance windows.

Example 2: Use Windows Event Forwarding to collect Remote Desktop session logs (Event IDs 4624, 4634 for logon/logoff, and 21/22/25 from the TerminalServices-LocalSessionManager). Review these weekly for unexpected remote maintenance connections.

More Maintenance Controls

MA-1 Policy and Procedures MA-2 Controlled Maintenance MA-2(1) Record Content MA-2(2) Automated Maintenance Activities