MA.2.112

Control Acronym

MA

Family

Maintenance

CMMC Level

2

800-171 Control #

3.7.2

CMMC Description

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

CMMC Clarification

Protect the tools used to perform maintenance. They must remain secure so they don’t introduce software viruses or other bugs into your system. Protect your maintenance processes so they aren’t used to hurt your network. Supervise the people responsible for maintenance activities. Make sure they don’t behave in a malicious manner. Example You are responsible for maintenance activities on your company’s machines. These activities can introduce software viruses or bugs into your system. To prevent this, make sure your maintenance tools protect from unauthorized access. Also, confirm that your organization manages or supervises everyone assigned to perform maintenance.

800-171 Description

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

800-171 Discussion

This requirement addresses security-related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the26 In general, system maintenance requirements tend to support the security objective of availability. However, improper system maintenance or a failure to perform maintenance can result in the unauthorized disclosure of CUI, thus compromising confidentiality of that information controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 MA-3

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.7.2

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.2 PR.MA-1

CERT RMM Reference

CERT RMM v1.2 TM:SG5.SP2

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

MA.2.112.[a] tools used to conduct system maintenance are controlled;

Assessment Sub-Criteria 2

MA.2.112.[b] techniques used to conduct system maintenance are controlled;

Assessment Sub-Criteria 3

MA.2.112.[c] mechanisms used to conduct system maintenance are controlled; and

Assessment Sub-Criteria 4

MA.2.112.[d] personnel used to conduct system maintenance are controlled.

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15