MA.L2-3.7.1 requires organizations to perform, authorize, and document maintenance on organizational systems while protecting controlled unclassified information (CUI) — preparing for an audit means proving you scheduled and controlled maintenance activities, restricted maintenance personnel access, recorded actions, and monitored results in line with the Compliance Framework expectations for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2.
Understanding the control and audit expectations
Auditors will look for demonstrable policies and operational evidence that maintenance is planned, authorized, and executed in a way that preserves confidentiality, integrity, and availability of CUI and related systems. Specifically, they expect: a formal maintenance policy and procedures; an inventory of systems subject to maintenance; authorization records for maintenance tasks (who approved what and when); evidence of controls used during maintenance (remote access controls, monitoring, least privilege); and logs or records showing the maintenance actions and outcomes. For small businesses, showing this in an organized, repeatable way is as important as the technical controls themselves.
Practical implementation steps for Compliance Framework alignment
Policy, process, and inventory
Start with a short, clear MA policy that maps to MA.L2-3.7.1: define roles (system owner, approver, maintainer), maintenance windows, approval workflow, and emergency maintenance exceptions. Maintain an asset inventory (CMDB) that tags systems that process or store CUI. In the inventory include make/model, OS, owner, maintenance SLA, vendor contacts, and whether remote vendor access is allowed. This establishes the baseline auditors expect to see.
Technical and operational controls
Technically enforce maintenance controls using: privileged access management (PAM) or temporary Just-In-Time (JIT) access provisioning; multi-factor authentication (MFA) for all remote maintenance sessions; use of a bastion/jump host for administrative sessions; session recording and logging (SSH session logs, RDP session recording, syslog forwarding to a SIEM); and network segmentation to isolate systems undergoing maintenance. For patching and firmware updates, use automated patch management with pre- and post-maintenance checks (snapshots, backups, file integrity checksums). Require that vendors use designated jump hosts or VPNs with limited-scoped accounts rather than direct local accounts.
Real-world examples and small business scenarios
Example 1 — Managed Service Provider performing server patching: The MSP requests maintenance via the company’s ticket system. The system owner approves the window; the MSP is granted a JIT account in the PAM for two hours with MFA and session recording. The maintenance session is routed through a bastion host and recorded to the SIEM. After completion, the ticket includes the patch list, timestamps, checksums, and a rollback plan outcome. Audit evidence: ticket, PAM session logs, patch management report, backups, and change approval.
Example 2 — Onsite laptop repair that might access CUI: A small business requires repair shops to sign an NAD (non-disclosure agreement), provide employee IDs, and use an isolated repair VLAN with no access to internal file servers. The repair event is logged, an asset tag is recorded, and the laptop is restored from a verified image under supervision. Audit evidence: signed vendor agreement, logged repair entry, VLAN access records, imaging checksum records, and supervisor sign-off.
Evidence to collect for an audit
Practical artifacts auditors expect include: maintenance policy and SOP; CMDB entries showing maintenance applicability; approved maintenance requests/tickets (with approver and scheduled window); vendor access agreements and attestations; PAM/JIT access records and MFA logs; session recordings and syslog/SIEM entries showing commands and timestamps; pre/post-maintenance backup and integrity verification reports; change control entries and rollback validation; and any risk acceptance or POA&M entries for exceptions. Catalog these artifacts in a single audit folder (electronic) with cross-references to related policies.
Compliance tips, best practices, and technical specifics
Tips: (1) Automate evidence collection—integrate ticketing, PAM, SIEM, and patch management so auditors can trace an event end-to-end. (2) Use templates for maintenance requests that capture required fields (asset ID, owner, CUI impact, approver, rollback steps). (3) Limit vendor access via short-lived credentials and enforce client-side protections (bastion, logging). (4) Record a maintenance checklist that includes integrity checks (SHA256 hashes), backup verification, and post-maintenance functional tests. Technical best-practices include enabling immutable logs for a retention period consistent with your compliance posture, time-synchronizing devices via NTP, and hashing critical binaries before and after maintenance.
Risks of not implementing MA.L2-3.7.1 correctly
Failure to control maintenance increases risks of unauthorized access, malicious change, CUI exposure, and extended outages. From an audit/compliance perspective, inadequate maintenance controls can lead to findings, corrective action plans, lost contracts (especially DoD contracts), and reputational damage. Technically, unmanaged vendor access or lack of logging makes forensic investigations difficult if an incident occurs, increasing recovery time and cost.
In summary, preparing for an audit against MA.L2-3.7.1 means establishing clear maintenance policies, maintaining an accurate asset inventory, enforcing technical controls (PAM, MFA, bastion, session recording), documenting approvals and outcomes, and collecting a concise set of evidence artifacts. For small businesses, focus on repeatable, automated controls and simple, auditable processes that map directly to the Compliance Framework requirements — this approach minimizes risk and maximizes your ability to demonstrate compliance during an audit.
