CMMC Practice MA.2.112

Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Source

CMMC Version 1.02, pg. 167

Bold Coast Security Guidance

Level 1 compliance is to practice care and consistency with how equipment is maintained. For Level 2 compliance you must have a written policy that requires specific tools, methods, and defined staff or vendors who are authorized to perform that maintenance.

Discussion From Source

DRAFT NIST SP 800-171 R2 This requirement addresses security -related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.

References