Understanding Maintenance Domain

The Maintenance (MA) domain under CMMC 2.0 discusses maintaining organizational systems, equipment, media inspection, and personnel maintenance. It covers practices like performing regular system maintenance, controlling maintenance processes, sanitizing equipment, inspecting media, and ensuring security during non-local maintenance.

Introduction to Maintenance Domain practices under CMMC 2.0  

This article is the fifth in a 15-part blog series discussing each domain in Cybersecurity Maturity Model Certification (CMMC) and touches upon one of the domains within CMMC: Maintenance.    

The Maintenance (MA) domain will discuss topics related to the maintenance of organizational systems, equipment related to maintenance, media inspection, and personnel maintenance.    

We will be exploring Maintenance in the following manner:    

  • What is Maintenance?    
  • How do you enforce Maintenance in your organization?    

What is Maintenance?    

The Maintenance Domain focuses on what the name suggests: Maintenance. Various types of maintenance; can range from system maintenance to personnel maintenance to equipment maintenance. There are also some critical inspection protocols and controls to be wary of in this domain.  

We will discuss each of these practices in greater detail:  

Performing Maintenance

You must regularly perform system maintenance on your organizational systems for this requirement. It is important that your systems are well-maintained and do not experience any faults; hence, maintenance is required to ensure you upkeep your systems efficiently. It would be best if you also focus on the information security aspects of your system maintenance, which means making sure requirements are up to date and applied as necessary. Maintenance will apply to all system components, including hardware, firmware, and applications. In addition, maintenance extends to systems not directly involved in information processing, such as printers.  

System Maintenance Control

Maintenance needs to be conducted in a controlled environment. It means you must establish control and set requirements for the tools, techniques, and even personnel allowed to be used/conduct maintenance. This requirement is crucial as it focuses on security-related issues that may occur with tools or other factors related to maintenance, as it is meant to fix these issues, not create more (specifically concerning systems that process or maintain CUI). Your organization may determine what is necessary to allow this process to be protected and controlled, but you must have something in place for maintenance to be monitored.  

Equipment Sanitization

This requirement focuses on equipment handling. There are times when equipment might be faulty or needs to be inspected to ensure it operates properly, which might require off-site maintenance. In such a case, you must ensure the equipment has been sanitized properly, mainly if it potentially contains any CUI. Sanitization means ensuring that any data on that equipment or component is no longer accessible, especially if it is CUI. Your organization can determine the method of sanitization that it finds most efficient. Still, proper equipment sanitization must follow a thorough process to ensure the data is not recoverable by a non-authorized entity under any circumstance.    

Media Inspection

An essential part of maintenance includes troubleshooting applications and equipment for any faults they might have. A vendor might provide some form of media (usually a diagnostic application) to aid these efforts. Any such form of media must be inspected to ensure there is no malicious code or it is not corrupted. This inspection must be done before the media is used with any of your organizational systems, as it ensures the safety of your information and the integrity of your system itself, protecting it from any malicious entity trying to gain access.  

Nonlocal Maintenance

This practice focuses on nonlocal maintenance, usually conducted on an external network connection (such as the internet). Your organization should establish a form of multifactor authentication to ensure the person trying to connect is authorized and that any non-authorized individual cannot gain access. The recommended approach is to have at least two forms of authentication (such as a password, pin, identification token, or facial scan) to allow for proper verification. Furthermore, upon completion of any nonlocal maintenance, you must terminate any connection and verify that the external party has no access.  

Maintenance Personnel

In this practice, the personnel that performs maintenance on any organizational system are essential to consider. First, you must ensure that only authorized individuals perform maintenance on your systems. Still, if there is a case where the individual does not have the required access authorization, they must be supervised by someone who does. This requirement applies to any individual performing hardware or software maintenance on your organizational systems, and your organization may determine how the access is given/maintained. It is recommended that if they do not have access, temporary access is provided in a limited scope and is highly restrictive, and only necessary functions are given.    

How do you enforce Maintenance in your organization?    

This domain outlines Maintenance practices ranging from equipment maintenance to personnel maintenance. However, the focus remains on maintenance and ensuring that any maintenance is performed correctly and with the proper approach.  

CMMC 2.0 Levels and the MA domain  

CMMC Level 1

For CMMC Level 1, your organization will not have to do anything for this domain.  

CMMC Level 2

For CMMC Level 2, your organization is to comply with six practices.  

  • Performing Maintenance  
  • System Maintenance Control  
  • Equipment Sanitization  
  • Media Inspection  
  • Nonlocal Maintenance  
  • Maintenance Personnel    

Following are some of the areas that you should be looking for to comply with Maintenance practices under CMMC Level 2  

  • System Maintenance Policy  
  • Media Sanitization Records  
  • Maintenance Records  
  • System Maintenance Tools  
  • System Security Plan (SSP)  
  • Manufacturer/Vendor Maintenance Specifications  
  • Organizational processes for scheduling/performing maintenance  

CMMC Level 3  

For CMMC Level 3, the MA practices are yet to be determined.

InterSec is one of the leading Cybersecurity company. Having years of experience working with top companies, we have a mature team and processes.

Contact us today for a free consultation for your security needs.
Contact Us