This post provides a practical, step-by-step checklist to implement MA.L2-3.7.1 (Perform maintenance on organizational systems) from NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2, with hands-on implementation notes, small-business examples, technical controls, and compliance tips you can apply immediately.
Overview — what MA.L2-3.7.1 requires and why it matters
MA.L2-3.7.1 requires organizations to perform maintenance on organizational systems in a controlled, documented, and secure manner so that maintenance actions do not create vulnerabilities or expose Controlled Unclassified Information (CUI). The control’s goals are to ensure maintenance is authorized, executed by authorized personnel, logged for auditability, performed with minimal disruption, and that rollback and verification steps exist. For companies operating under the Compliance Framework (NIST SP 800-171 / CMMC), evidence of a repeatable, auditable maintenance process is essential during assessments.
Step-by-Step Checklist
1) Inventory, Authorization, and Scope
Before any maintenance, confirm the affected items using an up‑to‑date inventory (CMDB). Identify system owners, CUI-bearing components, and whether the maintenance affects production systems. Require formal authorization: a ticket or change request with approver signatures. Example: in a small defense‑contracting shop, every maintenance ticket should list whether impacted hosts process or store CUI and include an approver from IT and the CUI owner. Implementation note: integrate your CMDB with the ticketing system (ServiceNow, Jira, or a lightweight Trello board with tags) so maintenance tickets automatically pull asset IDs and owner info.
2) Schedule, Isolation, and Pre-checks
Schedule maintenance windows and notify stakeholders (users, customers, prime contractors) in advance. For risky changes, isolate systems on maintenance VLANs or use snapshots/checkpoints (VM snapshots, EBS snapshots) to enable quick rollback. Run pre-maintenance checks: backups verified, patch footprints tested in staging, disk space, dependencies, and configuration drift checks. Small-business scenario: before patching a Windows file server that hosts CUI, create a VSS snapshot, confirm backup integrity, and ensure backups are stored offline for the retention period required by contract.
3) Secure Access, Authentication, and Execution
Allow only authorized personnel to perform maintenance. Use just-in-time privileged access where possible (Azure AD PIM, AWS SSM Session Manager, or temporary sudo elevations). Require Multi-Factor Authentication (MFA) and, for remote vendor maintenance, use a VPN + jump host with session recording. Technical controls: force certificate‑based SSH, disable password logins, centrally execute scripts with Ansible or PowerShell DSC to reduce manual errors. Log all commands and file transfers to a centralized syslog/SIEM (Splunk, Elastic, or a managed SIEM). Example command hardening: ssh -o CertificateAuthentication=yes -J jump.example.com admin@target; record the session through tlog or auditd.
4) Test, Verify, and Rollback Plan
After making changes, run verification tests: service health checks, automated integration tests, and file integrity checks (Tripwire, OSSEC, or fsnotify-based scripts). Verify that CUI access controls remain intact and that file permissions and encryption are unchanged. Always have a rollback procedure that is pre-tested in staging: restore from snapshot or run an automated rollback playbook. For kernel or firmware updates, maintain known-good boot media and a recovery procedure that is documented and time‑boxed in the change ticket.
5) Document, Log, and Report
Record maintenance activities in the ticket: start and end times, personnel, commands/scripts run, checksums or hashes of files changed, and verifications performed. Retain logs and the ticket as evidence for the required retention period (follow contract or organizational policy; many require 3–6 years for CUI-related evidence). Feed logs to your SIEM, mark tickets with CUI tags, and produce an after-action summary if issues occurred. Implementation tip: capture artifacts automatically — Ansible runbooks produce output, and syslog/WinEvent forwarding captures system‑level events for evidence.
Practical implementation details for small businesses
Small businesses can implement the above without heavy tooling. Use managed services: cloud provider snapshots (AWS AMI/EBS snapshot), Microsoft Intune or Jamf for endpoint maintenance, and a cloud SIEM offering or simple log retention on a hardened syslog server. For vendor maintenance, require written statements of work, non-disclosure agreements, and remote maintenance rules (time windows, no copy of CUI offsite). If budget is constrained, prioritize: (1) an inventory and change ticket system, (2) backups and rollback capability, (3) logging of privileged access. Example: a 20-person subcontractor can use Git-based Ansible playbooks, a $10/month ticketing SaaS, and AWS S3 for encrypted backups with MFA Delete enabled to meet most MA.L2-3.7.1 expectations.
Risks of not implementing MA.L2-3.7.1 and compliance tips
Failing to control maintenance risks unauthorized access, accidental data exposure, and persistent misconfigurations that can be exploited. For CUI, this can result in contract loss, corrective actions, or higher-cost remediation. Common failures seen in assessments: undocumented vendor maintenance, absence of rollback plans, and missing logs tying maintenance to authorized personnel. Compliance tips: codify maintenance SOPs, automate evidence capture, enforce temporary access controls, and review maintenance tickets monthly for anomalies. Maintain a POA&M for gaps and track remediation milestones — auditors expect to see progress and realistic timelines.
Summary
Meeting MA.L2-3.7.1 is practical: maintain an accurate inventory, require authorization, isolate and back up before changes, enforce secure access and strong logging during maintenance, test and verify changes with a rollback plan, and document everything for audit evidence. For small businesses, leverage managed cloud features and lightweight automation to reduce human error and capture compliance artifacts. Implementing these steps reduces operational risk, protects CUI, and provides the audit trail required by NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2.
