NIST SP 800-171
Control 3.7.1
Perform System Maintenance
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Perform maintenance on organizational information systems.
What This Means in Plain English
Systems must be maintained regularly with patches, updates, and preventive maintenance. Maintenance activities should be scheduled, documented, and performed by authorized personnel.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Monthly patch management cycle using Microsoft WSUS and Intune for Windows updates
- FortiGate firmware updates performed on a quarterly schedule with rollback plans
- Sophos XDR signature and engine updates applied automatically
- Scheduled maintenance windows documented and communicated to stakeholders
- ComplianceArmor maintenance log tracking all maintenance activities with dates and personnel
Assessment Guidance
Assessors will review maintenance schedules and logs, verify that patches are applied in a timely manner, check that maintenance activities are performed by authorized personnel, and confirm that maintenance is documented.
Common Implementation Gaps
- No regular maintenance schedule
- Patches not applied for months or years
- Maintenance activities not documented
- No maintenance window policy
- Firmware updates neglected on network devices
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | MA-2 |
| PCI DSS | Req 6.2 - Protect all system components from known vulnerabilities by installing applicable security patches |
Need Help Implementing 3.7.1?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment