This article is the fifth in a 15-part blog series discussing each domain in Cybersecurity Maturity Model Certification (CMMC) and touches upon one of the domains within CMMC: Maintenance.
The Maintenance (MA) domain will discuss topics related to the maintenance of organizational systems, equipment related to maintenance, media inspection, and personnel maintenance.
We will be exploring Maintenance in the following manner:
The Maintenance Domain focuses on what the name suggests: Maintenance. Various types of maintenance; can range from system maintenance to personnel maintenance to equipment maintenance. There are also some critical inspection protocols and controls to be wary of in this domain.
We will discuss each of these practices in greater detail:
You must regularly perform system maintenance on your organizational systems for this requirement. It is important that your systems are well-maintained and do not experience any faults; hence, maintenance is required to ensure you upkeep your systems efficiently. It would be best if you also focus on the information security aspects of your system maintenance, which means making sure requirements are up to date and applied as necessary. Maintenance will apply to all system components, including hardware, firmware, and applications. In addition, maintenance extends to systems not directly involved in information processing, such as printers.
Maintenance needs to be conducted in a controlled environment. It means you must establish control and set requirements for the tools, techniques, and even personnel allowed to be used/conduct maintenance. This requirement is crucial as it focuses on security-related issues that may occur with tools or other factors related to maintenance, as it is meant to fix these issues, not create more (specifically concerning systems that process or maintain CUI). Your organization may determine what is necessary to allow this process to be protected and controlled, but you must have something in place for maintenance to be monitored.
This requirement focuses on equipment handling. There are times when equipment might be faulty or needs to be inspected to ensure it operates properly, which might require off-site maintenance. In such a case, you must ensure the equipment has been sanitized properly, mainly if it potentially contains any CUI. Sanitization means ensuring that any data on that equipment or component is no longer accessible, especially if it is CUI. Your organization can determine the method of sanitization that it finds most efficient. Still, proper equipment sanitization must follow a thorough process to ensure the data is not recoverable by a non-authorized entity under any circumstance.
An essential part of maintenance includes troubleshooting applications and equipment for any faults they might have. A vendor might provide some form of media (usually a diagnostic application) to aid these efforts. Any such form of media must be inspected to ensure there is no malicious code or it is not corrupted. This inspection must be done before the media is used with any of your organizational systems, as it ensures the safety of your information and the integrity of your system itself, protecting it from any malicious entity trying to gain access.
This practice focuses on nonlocal maintenance, usually conducted on an external network connection (such as the internet). Your organization should establish a form of multifactor authentication to ensure the person trying to connect is authorized and that any non-authorized individual cannot gain access. The recommended approach is to have at least two forms of authentication (such as a password, pin, identification token, or facial scan) to allow for proper verification. Furthermore, upon completion of any nonlocal maintenance, you must terminate any connection and verify that the external party has no access.
In this practice, the personnel that performs maintenance on any organizational system are essential to consider. First, you must ensure that only authorized individuals perform maintenance on your systems. Still, if there is a case where the individual does not have the required access authorization, they must be supervised by someone who does. This requirement applies to any individual performing hardware or software maintenance on your organizational systems, and your organization may determine how the access is given/maintained. It is recommended that if they do not have access, temporary access is provided in a limited scope and is highly restrictive, and only necessary functions are given.
This domain outlines Maintenance practices ranging from equipment maintenance to personnel maintenance. However, the focus remains on maintenance and ensuring that any maintenance is performed correctly and with the proper approach.
For CMMC Level 1, your organization will not have to do anything for this domain.
For CMMC Level 2, your organization is to comply with six practices.
Following are some of the areas that you should be looking for to comply with Maintenance practices under CMMC Level 2
For CMMC Level 3, the MA practices are yet to be determined.