3.7.1 — Maintain on Schedule

The One-Liner

If you can’t show a maintenance schedule and records of completed work, you fail.

What It Says

Perform maintenance on organizational systems.

What It Actually Means

Regular, scheduled maintenance on all CUI systems — documented. This covers four types: corrective (fixing problems), preventive (updates to prevent problems), adaptive (changes for new requirements), and perfective (performance improvements). For most DIB contractors, the core of maintenance is patching (covered in detail by 3.14.1) and hardware servicing.

The assessor checks that maintenance is performed on a defined schedule and that records exist. “We patch when we remember to” is not a maintenance program.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is system maintenance performed?	Maintenance schedule exists; records of completed maintenance with dates, systems, and work performed

---

What to Have Ready on Assessment Day

Documents they’ll review: System maintenance policy; maintenance schedule; maintenance records; vendor maintenance specifications; system security plan

People they’ll talk to: Personnel with maintenance responsibilities; information security personnel; system or network administrators

Live demos they’ll ask for: “Show me your maintenance schedule.” “Show me records from the last three months.” “How do you track what was done?”

---

The Assessor’s Playbook

• “Show me your maintenance schedule. Is it defined or ad-hoc?”
• “Show me records of maintenance performed in the last quarter.”
• “Are all system types covered — servers, workstations, network devices, firmware?”
• “How do you document what maintenance was performed?”

Real-World Example

A defense contractor runs monthly maintenance windows (second Saturday). Intune pushes OS and application patches to workstations weekly; servers are patched monthly in the maintenance window. Network device firmware is reviewed quarterly. Each maintenance event is logged in the ITSM system with: date, systems affected, work performed, and outcome. The assessor reviews three months of maintenance records and sees consistent, documented activity across all system types.

---

Where Companies Trip Up

No schedule. Maintenance happens reactively when something breaks. Define a schedule — monthly patching at minimum.

No records. Patches applied but nothing documented. Use your patching tool’s compliance reports and supplement with maintenance tickets.

Incomplete coverage. Servers patched but workstations, network devices, and firmware neglected. All CUI system types require maintenance.

---

How to Talk About This

To a CEO or Board

Every CUI system is maintained on a defined schedule — monthly patching, quarterly firmware reviews, and hardware servicing as needed. All maintenance is documented and auditable.

To an Engineering Team

Monthly maintenance windows. Intune for endpoints (weekly). WSUS for servers (monthly). Firmware quarterly. All events in ITSM. Compliance reports from patching tools.

---

Connected Requirements

Requirement	Why it matters here
3.14.1 — Patch Your Systems	Patching is the primary maintenance activity for most systems
3.4.3 — Control Every Change	Maintenance activities are changes that go through change management
3.7.5 — MFA for Remote Maintenance	Remote maintenance requires MFA

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: MA.L2-3.7.1 | SPRS Weight: 3 points | POA&M Eligible: No