NIST SP 800-171 Rev 2 practice 3.7.2 requires organizations to provide controls on the tools, techniques, mechanisms, and personnel used to conduct maintenance on organizational systems. This means that maintenance activities must be authorized, supervised, and executed in a manner that prevents unauthorized access to CUI or system resources. Maintenance tools must be inspected for malicious code before use, and their use must be restricted to authorized personnel operating under defined procedures. Personnel performing maintenance must be vetted, authenticated, and, when not already authorized, escorted or supervised during maintenance activities. The practice addresses both on-site and remote maintenance scenarios, requiring controls that span physical access, logical authentication, and procedural safeguards.
Where it stops · what it isn't
- —Does not govern the scheduling or frequency of maintenance activities — that is addressed by MA practice 3.7.1.
- —Does not define specific authentication mechanisms for maintenance personnel — those requirements fall under IA domain practice 3.5.x.
- —Does not address sanitization or media handling of maintenance equipment after use — that is covered by MP domain practices.
- —Does not govern configuration baseline changes resulting from maintenance — CM domain practices (3.4.x) address those controls.
- —Does not dictate physical access controls for maintenance areas — those are governed by PE domain practice 3.10.x.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/maintenance