CMMC Practice MA.2.112
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Bold Coast Security Guidance
Level 1 compliance is to practice care and consistency with how equipment is maintained. For Level 2 compliance you must have a written policy that requires specific tools, methods, and defined staff or vendors who are authorized to perform that maintenance.
DRAFT NIST SP 800-171 R2
This requirement addresses security -related issues with maintenance tools that are not within the organizational system boundaries that process, store, or transmit CUI, but are used specifically for diagnostic and repair actions on those systems. Organizations have flexibility in determining the controls in place for maintenance tools, but can include approving, controlling, and monitoring the use of such tools. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and into organizational systems. Maintenance tools can include hardware, software, and firmware items, for example, hardware and software diagnostic test equipment and hardware and software packet sniffers.