3.7.1—Maintenance - Basic
>Control Description
>Discussion
This requirement addresses the information security aspects of the system maintenance program and applies to all types of maintenance to any system component (including hardware, firmware, applications) conducted by any local or nonlocal entity. System maintenance also includes those components not directly associated with information processing and data or information retention such as scanners, copiers, and printers. [26] In general, system maintenance requirements tend to support the security objective of availability. However, improper system maintenance or a failure to perform maintenance can result in the unauthorized disclosure of CUI, thus compromising confidentiality of that information.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern system maintenance?
- •What procedures control maintenance activities?
- •Who approves and performs system maintenance?
- •How are maintenance windows scheduled and communicated?
- •What governance ensures secure maintenance practices?
Technical Implementation:
- •How do you control access during maintenance activities?
- •What technical safeguards protect systems during maintenance?
- •How do you monitor maintenance sessions?
- •What tools track and log maintenance activities?
- •What mechanisms verify system integrity post-maintenance?
Evidence & Documentation:
- •Can you provide maintenance schedules and approvals?
- •What documentation exists for maintenance activities?
- •Can you demonstrate controlled maintenance access?
- •What logs track maintenance sessions and activities?
- •What audit evidence verifies maintenance control compliance?
Ask AI
Configure your API key to use AI features.