CMMC Practice MA.2.111
Perform maintenance on organizational systems.
Bold Coast Security Guidance
Level 1 compliance is about doing the basics with system maintenance. Level 2 means you have a policy requiring regular maintenance to IT systems in your environment. This includes physical and logical maintenance to keep systems running smoothly and at the level of performance expected. Following manufacturers guidance is the best way to create practices, and then require those practices in your policy statements. At Level 3 you have a security plan noting how you track your activities, and who is responsible for that.
DRAFT NIST SP 800-171 R2
This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or non-local entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers.