Welcome to our CMMC Level 2.0 Maintenance Guide, tailored to support DoD contractors and smaller companies in achieving CMMC Level 2 compliance. This guide provides essential insights and actionable steps on system maintenance, focusing on practical, clear guidance to help you fulfill CMMC Level 2 MA requirements.
We’ll walk you through each critical aspect, from system maintenance controls to personnel requirements, ensuring your organization can meet CMMC standards efficiently. Our goal is to make CMMC compliance simpler by emphasizing the importance of proactive maintenance in safeguarding your data and system integrity.
For personalized guidance, schedule a free consultation with one of our Experts. We’re dedicated to helping you navigate CMMC Level 2 compliance steps with ease and confidence.
“Perform maintenance on organizational information systems.”
Level Of Effort: Medium
This is about doing maintenance on your I.T. system. The goal is to keep it secure and reliable. It includes different types of care: fixing issues, preventing future problems, adjusting to changes, and making improvements. These apply to every part of the system for CMMC Level 2.
Recommendations:
List everyone who works on your I.T. systems: Write down the names of your team and any companies that help with your I.T. Be specific and clear about who does what.
Explain how you'll do the maintenance: When systems are used from a different place, make sure to list the tools that are used. You should also set up Multi-Factor Authentication (MFA). Remote sessions should end by themselves after a while.
Keep track of all the fixing and updating: Use a ticketing system to note down every time someone works on your computers. It’s like keeping a diary of all the I.T. work.
Evidence:
Details in your System Security Plan (SSP): Update your SSP with the names of your maintenance crew and your plans for fixing and updating things.
Pictures of your security settings: Take screenshots of how you set up MFA and auto log-offs.
Records of maintenance work: Have a place where you write down all the I.T. work, usually through tickets.
MA.L2-3.7.2 – SYSTEM MAINTENANCE CONTROL
“Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.”
“Ensure equipment removed for off-site maintenance is sanitized of any CUI.”
Level Of Effort: Low
When you have to send out equipment like printers or scanners for repairs, it’s important to make sure there’s no sensitive information left on them. You need to remove all Controlled Unclassified Information (CUI) from these devices before they go anywhere.
Recommendations:
Wipe all sensitive data from equipment before sending it away: If any device that has CUI like a printer needs to be repaired or thrown away, make sure its hard drive is completely cleaned of all sensitive data.
Look at MP.L1-3.8.3 – MEDIA DISPOSAL: This part of the guidelines tells you more about how to dispose of hard drives with CUI.
Evidence:
Make a note in your Security System Plan (SSP): Your SSP should explain how you make sure all CUI is removed from equipment before it's sent off.
Keep proof that you’ve cleaned the data: Save screenshots or records that show you’ve wiped the data from the equipment.
“Check media containing diagnostic and test programs for malicious code before the media are used in the information system.”
Level Of Effort: Low
To meet CMMC Level 2 standards, it's important to make sure that any media, like USB drives or files you download, are safe before you use them. This means checking them for any harmful software or viruses.
Recommendations:
Set up automatic scans; configure your antivirus or EDR system to check USB drives and downloads immediately. This proactive step boosts your overall security.
Don't skip the antivirus; make it a standard part of every new computer setup. It's not just good practice—it's a key component of the CM.L2-3.4.1 SYSTEM BASELINING requirement.
Evidence:
Show that your antivirus is doing its job: Save screenshots of your antivirus or EDR settings. These pictures should show that it’s set to scan stuff like USB drives or downloads.
Use a vulnerability scanner to double-check: This can prove your antivirus is on your computer and set up right.
MA.L2-3.7.5 – NONLOCAL MAINTENANCE
“Require multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.”
“Supervise the maintenance activities of maintenance personnel without required access authorization.”
Level Of Effort: Low
It's key to make sure that anyone who works on your company's hardware or software but doesn't have full access permissions, is watched closely. This helps keep your company's data safe and helps you comply with this control.
Recommendations:
List your regular maintenance people: Write down the names of people who fix things in your company. Check if they have access to your facility outside of regular hours. These workers fall under the normal visitor rules you'll have under Physical Protection (PE).
Extra care for new or unknown maintenance people: Anyone new or not on your regular list must follow your visitor policy. They should always have someone with them if they're near places with CUI.
Give temporary passes to maintenance people: If you can, only give out short-term access passes to maintenance workers. Make these passes last only as long as they need to do their jobs.
Evidence:
Your maintenance crew list: Keep a list of your regular maintenance workers.
Details in your SSP and Visitor Policy: Update your Security System Plan and Visitor Policy under PE.L1-3.10.3 – ESCORT VISITORS to show how you manage unknown maintenance personnel.
Proof of temporary access: Save screenshots of temporary, disabled, or time-restricted accounts you give to maintenance people.
