Last Updated on February 8, 2021
The US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) framework organizes controls to protect of Controlled Unclassified Information (CUI) into 17 domains. Each CMMC domain includes capabilities, processes and practices, which are required for compliance with one of the five CMMC maturity levels.
The CMMC Maintenance (MA) domain specifies six practices, four at Level 2 and two at Level 3. All six Maintenance practices fall into a single CMMC capability, called simply “Manage maintenance.”
What does maintenance have to do with security? If you don’t maintain the technology assets that enable you to process CUI, you will experience system failures, operational disruption and increased risk of data loss and cyberattack.
In particular, maintenance includes patching and updating your operating systems and other hardware and software. Often patches fix security vulnerabilities that are known, published, and enthusiastically exploited by hackers.
Maintenance activities focused on system performance and reliability can also help you identify non-sanctioned processes running on devices, discover unpatched assets or even locate vulnerable assets you didn’t know you had.
What are the CMMC Maintenance Domain Practices?
The four CMMC Maintenance domain practices at CMMC Level 2 focus on prioritizing, planning and operationalizing maintenance procedures:
- 2.111 Perform maintenance on organizational systems.
This practice is the foundation of system maintenance from a cybersecurity perspective. It applies to all types of maintenance (corrective, preventive, adaptive and perfective) across all system components (hardware, software, firmware). This includes maintenance performed by your internal team or by third parties.
- 2.112 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
This practice focuses on the security-related issues associated with your maintenance tools. A big part of this control is putting approvals, monitoring and other controls on who uses these tools and how they’re used so they can’t be abused or misused. Another security concern is that both open source and COTS maintenance software could be a vector for transporting malware.
- 2.113 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
This control requires you to use MFA for all maintenance taking place over an external network, whether by remote employees or third parties. This will make it significantly harder for hackers to steal maintainers’ credentials and access your systems at a privileged level.
- 2.114 Supervise the maintenance activities of personnel without required access authorization.
This control applies to maintainers “not previously identified as authorized maintenance personnel,” such as vendors, consultants, third-party systems integrators, etc., who might require privileged access to your systems. A good example of this control in action is calling a third-party repair tech onsite to fix a hardware problem. “Supervise” could mean issuing temporary login credentials for just the system involved. It could also mean physically observing and supervising the person so s/he has no opportunity to conduct unauthorized activities.
The two Maintenance practices at CMMC Level 3 provide extra security for CUI:
- 3.115 Ensure equipment removed for off-site maintenance is sanitized of any CUI.
This control applies to all system components, including applications, regardless of whether the work is performed under contract/warranty, by in-house staff or a third party. To “sanitize” media means to render the data impossible or extremely difficult to recover; e.g., by overwriting the drive with all zeros, securely erasing the media, disassembling it or even destroying it.
- 3.116 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
As part of troubleshooting a system, the vendor may share a diagnostic application that you need to install. Or your admin might download a diagnostic program from the internet. As with any executable code there is the change the software is infected with malware. This control requires you to implement procedures to ensure any such file is scanned for malware before you install it. Its worth noting, although the practice does not speak to it explicitly, you need to ensure hardware (USBs, External HDDs, disks) are scanned as well. We have a “hunch” this is something an assessor will be looking for.
What is needed to comply with the CMMC Maintenance Domain controls?
With just six practices and one capability, the CMMC Maintenance domain might be among the easier domains for SMBs to comply with. Especially if your company already has some patch management and/or hardware/device maintenance policies and procedures in place, you might only need to supplement or extend those to achieve compliance.
But if your maintenance program is immature or ad hoc, dealing with the extra effort and discipline that it takes to patch systems and put maintenance safeguards in place to protect CUI could seem onerous. And, of course, you’ll need to create policies that explain how exactly you’ve implemented each of the controls.
If you’re not sure what the patch status is for your assets, a vulnerability assessment to establish a current baseline could be valuable. There are also a wide range of patch management and maintenance support software available, from open source on up.
Wondering how to get started and how best to proceed with a “cyber-centric” maintenance program that meets your CMMC compliance requirements? Contact Pivot Point Security to start a conversation with a CMMC expert.