3.7.2 — Control Maintenance Tools

The One-Liner

If a vendor plugs an unknown laptop into your network for diagnostics, you’ve lost control.

What It Says

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

What It Actually Means

Four things are controlled: the tools used for maintenance (approved software and hardware), the techniques (defined procedures), the mechanisms (automated scripts, scheduled jobs), and the personnel (authorized and supervised). No unvetted equipment or unauthorized personnel touching your CUI systems.

The assessor checks: Is there an approved tools list? Are vendor tools inspected before use? Are maintenance personnel authorized and supervised?

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are maintenance tools controlled?	Approved tools list; vendor tools inspected before use on CUI systems
2	Are maintenance techniques controlled?	Documented maintenance procedures followed consistently
3	Are maintenance mechanisms controlled?	Automated maintenance scripts/jobs approved and tracked
4	Are maintenance personnel controlled?	Authorized personnel list; unauthorized personnel supervised (see 3.7.6)

---

What to Have Ready on Assessment Day

Documents they’ll review: Maintenance policy; approved tools list; maintenance records; tool inspection records; system security plan

People they’ll talk to: Maintenance personnel; information security personnel

Live demos they’ll ask for: “Show me your approved maintenance tools list.” “How do you vet a vendor’s diagnostic tool before it connects?”

---

The Assessor’s Playbook

• “Show me your list of approved maintenance tools.”
• “How do you inspect vendor tools or media before connecting to CUI systems?”
• “Who is authorized to perform maintenance? Show me the list.”
• “Are automated maintenance scripts or tools controlled and approved?”

Real-World Example

A defense contractor maintains an approved tools list: Intune for endpoint management, WSUS for server patching, the vendor’s official diagnostic utility for the firewall (downloaded from the vendor site and hash-verified). When a vendor technician needs to run diagnostics, their USB drive is scanned on an isolated workstation before connecting to any CUI system. Maintenance is restricted to two authorized sysadmins; vendor technicians are always escorted and use pre-approved tools only.

---

Where Companies Trip Up

No approved list. Anyone uses any tool. Define what’s approved and vet everything else before use.

Vendor equipment unscanned. A vendor plugs in their laptop without any inspection. Scan vendor media and tools before they touch CUI systems.

Uncontrolled automation. Maintenance scripts running without anyone tracking what they do. Approve and document automated maintenance mechanisms.

---

How to Talk About This

To a CEO or Board

All maintenance tools are approved, tracked, and inspected. No unvetted equipment touches our CUI systems. Maintenance personnel are authorized and supervised.

To an Engineering Team

Approved tools list maintained and reviewed quarterly. Vendor media scanned before use. Hash verification for downloaded utilities. Authorized maintenance personnel list. Vendor access per escort policy (3.7.6).

---

Connected Requirements

Requirement	Why it matters here
3.7.4 — Scan Maintenance Media	Media scanning is a specific control for maintenance tools
3.7.6 — Escort Uncleared Techs	Personnel controls for unauthorized maintenance staff
3.14.2 — Deploy Anti-Malware	Endpoint protection that scans maintenance media

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: MA.L2-3.7.2 | SPRS Weight: 5 points | POA&M Eligible: No