This post gives a practical, actionable recipe for creating a step‑by‑step maintenance control checklist that satisfies NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control MA.L2-3.7.2, tailored for small businesses working to protect Controlled Unclassified Information (CUI) under the Compliance Framework practice.
Understanding MA.L2-3.7.2 and the Compliance Framework objective
MA.L2-3.7.2 is aimed at ensuring maintenance activities on organizational systems are authorized, documented, and performed in a way that protects confidentiality, integrity, and availability of CUI. In Compliance Framework terms the Practice is to control maintenance—who does it, with what tools, and how results are verified and recorded—so maintenance doesn’t become a vector for compromise. For a small business this means formalizing what has often been informal: an inventoryed scope, approved tools and personnel, scheduled windows with isolation controls, logging, and post‑maintenance verification.
Step-by-step maintenance control checklist
1) Define scope, inventory and risk classification
Start by listing every system, device, and component that stores, processes, or transmits CUI (servers, VMs, network equipment, endpoints, OT devices). Record hostname, IP, owner, risk level, and whether vendor/third‑party access is permitted. Implementation tip: store this in a CMDB or a managed spreadsheet with versioning (e.g., ServiceNow CMDB, Jira Assets, or an encrypted Git repository). Example for a small business: label your production database VM and VPN appliance as "High — CUI" and include them in a prioritized maintenance roster.
2) Create a maintenance policy and approval workflow
Document who can approve maintenance requests, what approvals are required for different risk levels, and how emergency maintenance is handled. Implement a ticketing flow where each maintenance action requires a ticket with planned start/stop times, justification, and approver(s). For small teams, use ManageEngine or even a dedicated Jira project with a required approval custom field; for higher assurance, require digital signatures or an e‑mail approval archived to the ticket.
3) Authorize personnel and tools — vet and whitelist
Maintain a roster of authorized maintainers (internal and vendor) and an approved tools list (e.g., SSH clients, vendor firmware utilities). Require background checks/NDAs for third parties if they will access CUI systems. Technical controls: enforce admin authentication via centralized AAA (e.g., RADIUS/TACACS+), require MFA, and restrict local administrator use via privileged access management (PAM) or a bastion host. Example command-level practice: require all administrators to connect through a bastion host (ssh -J bastion.admin@jumphost target) so sessions can be monitored and recorded.
4) Schedule, isolate and back up before maintenance
Schedule maintenance windows and notify stakeholders. Enforce isolation where possible (maintenance VLAN, firewall rules, or snapshot/clone for VMs). Always take verified backups or snapshots immediately before maintenance — for VMs use vSphere snapshots or aws ec2 create-snapshot, for databases use logical dumps + point-in-time backups. Verify backup integrity with checksums (e.g., sha256sum backup.tar.gz) and store backups in an access‑controlled location. For small businesses, automate snapshots with a cron job or cloud backup policy and log the successful completion to the ticket.
5) Execute, monitor and collect audit evidence
During maintenance, capture real-time logs and session recordings. Configure syslog forwarding to a central collector or SIEM (e.g., rsyslog → SIEM or cloud logging), enable command auditing (auditd on Linux), and use file integrity monitoring (OSSEC/Tripwire) to detect unauthorized changes. If remote vendor tools are used, require a temporary, time‑boxed account and record all activity. Example: start an SSH session recording on the bastion before allowing access; save the session file to the ticket as proof of actions taken.
6) Post-maintenance validation and documentation
Validate system functionality and re‑assess security posture after maintenance. Run functional tests, integrity checks, and vulnerability scans (e.g., Nessus or OpenVAS) if relevant. Update the CMDB/ticket with exact changes made, software/firmware versions, hashes of updated binaries (sha256sum firmware.bin), and note any residual issues. Retain all artifacts—approvals, backups, logs, and test results—according to your retention policy; for many small contractors 12 months is a practical baseline unless contractually specified otherwise.
Compliance tips, best practices and risk of non‑implementation
Practical tips: integrate the checklist into your ticketing system so approval gates cannot be bypassed; use automation (scripts or orchestration) to enforce pre‑maintenance checks; keep a minimal approved‑tools list and block execution of unknown installers via application whitelisting. For small businesses working with DOD or government contractors, ensure third‑party agreements explicitly cover maintenance access, monitoring, and liability. Risks of not implementing MA.L2-3.7.2 include unauthorized access during maintenance, insertion of malicious firmware or backdoors, untracked changes that break incident response, exposure of CUI through vendor sessions, and ultimately contract non‑compliance or loss of business. Real-world scenario: a small supplier that allowed a vendor to update network firmware without session recording later discovered that the firmware image was tampered with — a properly enforced maintenance checklist would have required image hash verification and session capture, preventing the breach.
Summary: Build a concise, enforceable maintenance checklist that maps to each MA.L2-3.7.2 element—scope/inventory, approvals, authorized personnel/tools, isolation/backups, logged execution, and post‑validation—integrate it with your ticketing and CMDB, and automate where possible. For small businesses the combination of clear policy, simple technical controls (bastion/jump hosts, MFA, centralized logging, snapshots), and documented evidence stored with each maintenance ticket will satisfy the intent and practical requirements of the Compliance Framework practice and materially reduce risk to CUI.
