How to Meet NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MA.L2-3.7.1

Requirement

NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MA.L2-3.7.1 – Perform maintenance on organizational systems

Understanding the Requirement

This control requires that an organization performs and documents maintenance on its systems, covering corrective, preventative, adaptive, and perfective activities so systems remain available and functional. Under the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 framework this means following manufacturer recommendations, approving maintenance actions, and keeping records that show maintenance was performed and authorized. In practice, the control ensures you repair broken equipment, replace aging parts before failure, adapt systems to environmental changes, and make performance improvements while tracking all work.

Technical Implementation

• Create and maintain an asset and maintenance register. Track hardware, firmware, model, purchase date, warranty/contract status, and last maintenance date in a simple CMDB or spreadsheet. Include expected end-of-life and recommended maintenance intervals from the manufacturer so you can plan preventative replacements (for example, hard drives and cooling components).
• Implement a standardized maintenance workflow and approval process. Use your ticketing system to require a maintenance request, manager or information security approval for non-routine changes, and sign-off after completion. Define roles: who can authorize emergency corrective maintenance, who schedules preventative work, and who documents outcomes.
• Schedule and enforce preventative maintenance windows. For servers, networking gear, and critical endpoints, define regular maintenance windows (monthly, quarterly, or as vendor guidance dictates). Include firmware updates, cleaning, thermal checks, battery health checks, and component swaps. Communicate windows to impacted users and perform backups before risky operations.
• Test and document firmware and hardware updates before deployment. Maintain a small staging environment or test machine to evaluate firmware updates and hardware changes for compatibility and performance impacts. Record test results, known issues, and rollback plans in the maintenance ticket so you can reproduce safe procedures for production systems.
• Use preventive controls and environmental monitoring for adaptive maintenance. Monitor server room temperature, humidity, power quality, and UPS status; set alerts and automate actions where possible. When environmental metrics drift, schedule adaptive maintenance such as HVAC adjustments, additional cooling, or rack reorganization to prevent hardware degradation.
• Keep maintenance records and retention policies. Store tickets, change approvals, test results, parts replaced, and vendor service reports for a defined retention period (e.g., 2–3 years or per contractual requirements). These records support audits, incident response, and warranty claims.

Example in a Small or Medium Business

At a 60-person engineering firm, an employee reports their laptop is overheating and the fan runs constantly. The helpdesk opens a maintenance ticket and assigns it to a systems administrator. The admin inspects the asset record and sees the laptop is three years old and out of warranty; manufacturer guidance suggests cleaning the cooling assembly and replacing thermal paste after two years. The admin requests approval from the IT manager for preventative maintenance and a short replacement if needed. Before any work, the admin backs up the user's profile and critical project files to the company backup system and documents the backup in the ticket. The admin performs preventative maintenance: cleans dust from vents, replaces the fan and thermal paste, and runs stress tests to verify temperatures are within acceptable range. The ticket is updated with parts used, time taken, and test results; the asset record is updated with the maintenance date and next recommended check. The IT manager reviews and approves the ticket closure, and the user confirms normal operation the next day. The firm retains the maintenance record for two years and adjusts its preventative schedule for similar models based on this experience.

Summary

By combining a clear maintenance policy, an asset register, an approval and ticketing workflow, scheduled preventative work, test staging for updates, and documented records, SMBs can meet MA.L2-3.7.1. These measures ensure corrective, preventative, adaptive, and perfective maintenance is performed in line with manufacturer guidance, risks are reduced through backups and testing, and auditors or customers can verify maintenance actions through retained documentation.