Meeting MA.L2-3.7.2 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 means you must formalize maintenance-related policies and procedures and collect verifiable evidence that maintenance activities affecting Controlled Unclassified Information (CUI) are authorized, documented, and auditable — this post walks you through a pragmatic, audit-ready approach tailored for small businesses operating under the Compliance Framework.
Why a written policy + procedural program matters (and the risk of not doing it)
Policies give your organization the "what" and "why" while procedures give the "how" — both are required to demonstrate consistent, repeatable maintenance practices. Without them, maintenance work can introduce unauthorized changes, create windows for data exfiltration, break CUI protections, cause downtime, and lead to failed audits, lost contracts, or suspension from DoD programs. For a small business, one untracked remote maintenance session by a vendor can turn into a non-compliance incident with financial and reputational impact.
Core components of an audit-ready MA.L2-3.7.2 program
At minimum, create (1) a Maintenance Policy that defines scope, roles, responsibilities, acceptable maintenance types (routine, emergency, remote, on-site), authorization requirements, retention periods, and escalation paths; (2) Procedures and Standard Operating Procedures (SOPs) for each maintenance type and asset class; and (3) an Evidence Collection Matrix that maps artifacts to control objectives. Include control owner designation, review cycles (annual or upon significant change), and integration points to Configuration Management (CM), Identity and Access Management (IAM), and Audit (AU) controls.
Practical procedure examples and technical implementation
For remote vendor maintenance, your SOP should require: a pre-approved change ticket with CUI impact analysis, time-limited VPN access via a bastion host, multifactor authentication (MFA) tied to vendor identity, session recording (SSH/RDP/video) stored in immutable storage (WORM or S3 Object Lock) for the retention period, and an after-action report with sign-off. Implement these in practice with a ticketing system (Jira/ServiceNow) that enforces required fields, automatic ticket-to-access mapping, and APIs to trigger temporary cloud IAM roles (AWS STS, Azure AD PIM). For on-site maintenance, require an escort, sign-in/out logs, photo ID capture, and a signed maintenance checklist uploaded to the ticket.
Evidence types and how to collect/retain them
Design an Evidence Collection Matrix that lists artifact types, minimum fields, retention, and storage location. Typical artifacts: change tickets (ID, approver, start/end time, description), access logs (user, IP, start/end, session ID), session recordings (hashed and timestamped), asset state snapshots (before/after config exports), signed maintenance checklists, vendor contracts/SOOs, training records for maintenance personnel, and monitoring alerts triggered during maintenance. Store logs centrally in a SIEM (e.g., Splunk, Elastic, Sumo Logic) with NTP-synced timestamps, use SHA-256 hashes for recording integrity, and retain artifacts according to contract or DFARS guidance (commonly 3+ years) in immutable storage to satisfy auditors.
Small business scenario: turnkey implementation with minimal overhead
A small subcontractor can implement a compliant program within typical resource constraints by using existing tools: configure a shared Jira project for all maintenance tickets, require a "CUI Impact" custom field, use a cloud IAM service to issue short-lived credentials tied to ticket IDs, enable session recording through a managed bastion (e.g., Teleport, AWS Session Manager) and push recordings to an encrypted S3 bucket with object lock. For on-prem assets, use a USB-cloneable maintenance checklist and scan completed forms into the ticket. Assign a single control owner responsible for quarterly evidence samplings and upload a zip of representative artifacts to a secure evidence library for audits.
Compliance tips and best practices
Keep policies concise and enforceable: a one-page policy backed by detailed SOPs reduces confusion. Automate evidence generation and linking wherever possible—manual evidence collection increases human error and audit friction. Use unique ticket IDs or change IDs as your single source of truth to link logs, recordings, and approvals. Implement least privilege for maintenance accounts and require just-in-time (JIT) access to reduce standing privileges. Validate log integrity via hash chains and time synchronization (NTP/PTP). Finally, conduct quarterly internal audits and a tabletop exercise simulating an emergency maintenance approval to test the program and capture any gaps in evidence collection.
Practical checklist to get to audit-ready (actionable steps)
1) Inventory assets containing or processing CUI and classify maintenance risk per asset. 2) Draft a one-page Maintenance Policy and detailed SOP templates (remote, on-site, emergency). 3) Configure ticketing to enforce required fields and auto-generate short-lived credentials for maintenance windows. 4) Enable session recording and centralize logs in a SIEM with immutable backups. 5) Create an Evidence Collection Matrix mapping artifacts to MA.L2-3.7.2 and other related controls. 6) Train staff and vendors and collect signed acknowledgements. 7) Run a mock audit to export a representative evidence package and adjust retention/formatting to auditor expectations.
In summary, fulfilling MA.L2-3.7.2 is about combining clear, enforceable written guidance with automated, verifiable evidence collection: write focused policies, build asset-specific SOPs, automate ticketing and temporary access, capture and protect session and access logs, and maintain an evidence library that maps directly to the control. These measures minimize risk, streamline audits, and make compliance a repeatable part of your operational workflow rather than a reactive scramble.
