MA.L2-3.7.1 requires organizations to perform maintenance on organizational systems in a timely, structured manner consistent with NIST SP 800-171 Rev 2 requirement 3.7.1. This means establishing and following documented maintenance schedules and procedures that specify what systems are maintained, how often, by whom, and what actions are taken. Maintenance activities include hardware servicing, software patching, firmware updates, and any corrective or preventive actions needed to keep systems operational and secure. The practice applies to all organizational systems that process, store, or transmit Controlled Unclassified Information (CUI). Timely maintenance is essential to prevent system degradation that could introduce security vulnerabilities or disrupt mission-critical operations.
Where it stops · what it isn't
- —This practice does not govern the tools, techniques, or mechanisms used during maintenance — that is addressed by MA.L2-3.7.2 and MA.L2-3.7.3.
- —This practice does not address the specific controls required for remote maintenance sessions — those are covered in MA.L2-3.7.5.
- —This practice does not define the requirements for maintenance personnel vetting or escort procedures for external maintainers — see MA.L2-3.7.4.
- —This practice does not establish patch management policy in isolation — it must be read alongside configuration management (CM.L2-3.4.x) practices.
- —This practice does not cover the disposal or sanitization of media used during maintenance — that falls under Media Protection (MP) domain practices.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/maintenance