CMMC Level 2
Control 3.7.2
Control Maintenance Tools and Activities
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
What This Means in Plain English
The tools used for system maintenance (diagnostic software, admin utilities) must be controlled and monitored. Only authorized personnel should use approved maintenance tools, and their activities should be logged.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Approved maintenance tool inventory documented in ComplianceArmor
- Remote administration tools restricted to approved solutions (RMM platform only)
- Maintenance personnel access controlled through role-based permissions
- Arctic Wolf SIEM monitoring for unauthorized use of maintenance tools
- All maintenance sessions logged with technician identity, actions taken, and duration
Assessment Guidance
Assessors will review the approved maintenance tools list, verify that unauthorized tools are blocked, check that maintenance activities are logged with personnel identification, and test that only authorized personnel can access maintenance tools.
Common Implementation Gaps
- No inventory of approved maintenance tools
- Unauthorized remote access tools (TeamViewer, AnyDesk) in use
- Maintenance activities not logged
- No controls on who can use maintenance tools
- Diagnostic tools left on systems after maintenance is complete
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | MA-3, MA-3(1), MA-3(2) |
Need Help Implementing 3.7.2?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment