Family 3.7 6 requirements
Maintenance.
Trusted tools. Trusted people. Documented work.
The big picture
Maintenance is when systems are most exposed — uncontrolled tools, unsupervised technicians, undocumented work. Each of these is the assessor's prompt for a finding.
Theme 1
Tools and media.
3.7.1 — 3.7.3Performing maintenance with controlled tools and inspecting media for malicious code.
- 3.7.1 Maintain on Schedule. MA.L2-3.7.1 · Perform Maintenance Perform and document regular maintenance — patching, updates, hardware servicing — across all CUI systems. 3.7.2 Control Maintenance Tools. MA.L2-3.7.2 · System Maintenance Control Approve, track, and inspect all tools and personnel used for system maintenance. 3.7.3 Wipe Before Repair. MA.L2-3.7.3 · Equipment Sanitization Sanitize CUI from equipment before it leaves for off-site maintenance.
Theme 2
Process and people.
3.7.4 — 3.7.6Cleansing equipment before off-site work, MFA for non-local maintenance, and supervising external maintainers.
- 3.7.4 Scan Maintenance Media. MA.L2-3.7.4 · Media Inspection Scan USB drives, diagnostic disks, and vendor-provided media for malware before use on CUI systems. 3.7.5 MFA for Remote Maintenance. MA.L2-3.7.5 · Nonlocal Maintenance Require multifactor authentication for all remote maintenance sessions. Terminate when complete. 3.7.6 Escort Uncleared Techs. MA.L2-3.7.6 · Maintenance Personnel Supervise maintenance personnel without required access authorization at all times.