Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MA.L2-3.7.2 – Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Understanding the Requirement
This control requires that an organization define and enforce controls over the specific tools, techniques, mechanisms, and people permitted to perform system maintenance. This includes documenting approved maintenance tools and procedures, limiting who can run maintenance activities, and controlling the methods used so they cannot introduce malware or accidental damage. This control is part of NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 and is practical for SMBs: maintain a concise approved-tool list in your standard operating procedures (SOPs), require approvals for any new maintenance technique, and ensure only authorized personnel execute maintenance tasks.
Technical Implementation
-
Maintain an Approved Tools Inventory:
Create and publish a single, versioned inventory of approved maintenance tools (name, vendor, version, purpose, allowed users). Store reference hashes or digital signatures where feasible so installers and scripts can be verified before use.
-
Formalize SOPs and an Approval Workflow:
Document standard operating procedures that specify which tools and techniques are acceptable for each maintenance task (patching, driver updates, packet capture, backups). Implement a lightweight change/approval process (ticket-based) for introducing new tools or techniques; require manager or security approval before use in production.
-
Restrict Execution via Access Controls:
Use role-based access control and least-privilege principles so only designated system/network admins can install or run approved maintenance tools. Where possible, require use of jump hosts, bastion accounts, or privileged access management (PAM) for elevated operations and avoid local admin use for routine maintenance.
-
Secure Distribution and Verification:
Keep approved tool installers in an internal, integrity-checked repository (file server, package manager, or endpoint management system). Validate downloads with checksums or code-signing before deployment to endpoints to prevent supply-chain or tampering risks.
-
Logging, Monitoring, and Audit Trails:
Require that maintenance activities be logged and linked to a ticket or change record. Enable endpoint and network logs to capture tool execution and significant commands; alert on execution of unapproved binaries or tools. Perform periodic audits comparing logs to the approved list.
-
Third-Party and Personnel Controls:
For contractors and vendors, require defined scopes, supervised access, and documented approvals. Maintain personnel records showing who is authorized for maintenance tasks and provide focused training on approved techniques and tool use.
Example in a Small or Medium Business
Acme Widgets is a 45-person company with a small IT team of two administrators and one security lead. The IT manager compiles an approved maintenance tools list and publishes it in the IT SOP, including tools for patch management, driver updates, packet capture (WireShark), and remote support. All maintenance requests must be opened as tickets in their helpdesk system; the ticket must reference the approved tool and maintenance window. When a server patch is needed, the administrator selects the approved patching tool from the repository, verifies the installer checksum, documents the operation in the ticket, and schedules the update during a maintenance window. A contractor who needs access to perform specialized firmware updates is granted one-time elevated access via the PAM solution and is supervised by an internal admin. When the security lead reviews weekly logs, an alert shows an unapproved utility run on a laptop—investigation finds an employee used a free online driver updater. The employee is instructed to remove the tool; the admin replaces any changes with the approved vendor tool and the incident is added to training topics. Over time the combination of inventory, pre-approval, restricted access, logging, and follow-up training reduces incidents of unauthorized tool use and keeps maintenance activities auditable.
Summary
By combining a maintained inventory of approved maintenance tools, clear SOPs and approval workflows, restricted access and secure distribution, and logging plus periodic audits, SMBs can meet MA.L2-3.7.2. These policy and technical measures prevent unapproved or malicious tools and techniques from being used, ensure only authorized personnel perform maintenance, and create an auditable trail that demonstrates compliance and reduces operational risk.
