Do we need to document every maintenance activity?

Yes. The assessor wants to see a maintenance schedule or process and records showing what was done, when, and by whom. Ticket systems work well for this.

How do we show evidence of maintenance?

Maintenance tickets, service records, patch reports, change logs, RMM tool histories, or signed vendor service reports. Whatever method you use, it needs to show the date, what was done, and who did it.

MA.L2-3.7.1

MA.L2-3.7.1: System Maintenance

Q: What counts as system maintenance for CMMC?

Maintenance includes patching, updates, hardware repairs, firmware updates, certificate renewals, scheduled reboots, and any other work to keep systems operational and secure. It's broader than just patching.

Perform maintenance on organizational systems.

System maintenance keeps your infrastructure running and secure. It includes patching, firmware updates, hardware repairs, certificate renewals, scheduled reboots, and any other work needed to keep systems operational. The assessor wants to see that you have a process for maintenance, that maintenance is tracked, and that only authorized people perform it.

What the assessor is actually evaluating

The assessor is looking for three things:

A maintenance process or schedule. Do you have a documented approach to how and when maintenance happens? This might be a quarterly patching cycle, a preventive maintenance schedule for hardware, or a process for handling urgent maintenance requests.
Records of maintenance activities. Has maintenance actually been performed and documented? Tickets, logs, service reports, or audit trails showing what was done, when, and by whom. If you say you maintain systems but have no records, you failed.
Controlled access to maintenance tools and systems. Who can perform maintenance? Is access to remote maintenance tools (RMM, SSH, VPN) restricted to authorized personnel? Are audit logs kept of remote sessions? If a vendor does on-site work, is it logged or supervised?

Maintenance overlaps with patching (covered in SI.L2-3.14.1), but it’s broader. Patching is one type of maintenance. Hardware replacement, firmware updates, certificate renewals, and scheduled reboots are also maintenance.

Example SSP Language: MA.L2-3.7.1

We maintain all organizational systems according to our System Maintenance Policy. Preventive maintenance is scheduled quarterly for servers and network devices. All patches and updates are applied according to our patch management process documented in SI.L2-3.14.1. Maintenance activities are tracked in our ticketing system, which records the date, time, systems affected, and personnel performing the work. All maintenance is performed by IT staff with documented authorization, and remote maintenance through our RMM tool is restricted to authorized IT personnel with audit logging enabled. Vendor maintenance on-site is supervised by IT staff and documented in our maintenance log.

How to present your evidence

Show the assessor:

A maintenance policy or procedure document that describes how and when you perform maintenance
Maintenance records for at least the past 12 months. This could be tickets from your helpdesk system, service records from your RMM tool, vendor invoices, or a maintenance log. Pick one consistent method.
A list of who is authorized to perform maintenance (IT staff, specific vendors, etc.)
If you use an RMM tool, show access controls (who has login credentials) and at least one audit log showing remote sessions
If vendors do on-site work, show documentation: service reports, work orders, or a log noting the date and what was done

For a small team, a spreadsheet tracking maintenance dates and what was done is acceptable if it’s kept updated. For larger environments, integrate maintenance records into your ticketing or monitoring system. The point is consistency and completeness, not complexity.

Common failures

No maintenance records. The organization does maintenance but doesn’t document it. Assessors see no tickets, no RMM history, no service records.
RMM or remote access isn’t restricted. Anyone with IT access can log into the RMM console, or SSH keys are shared among staff with no audit trail.
Vendor or third-party maintenance isn’t tracked. A printer tech comes in, a managed service provider makes changes, or an outside consultant accesses systems with no record.
Maintenance schedule exists but isn’t followed. A policy document sits in a shared folder but actual maintenance is ad hoc and sporadic.
No separation between urgent and routine maintenance. All changes look the same in records, making it hard to show that maintenance is actually being managed.

If you use an MSP or MSSP

Your managed service provider handles most maintenance through their RMM tool. Assessors have asked to see RMM console access controls and session logs, so your MSSP needs to be ready to show who has access and what sessions look like. But maintenance records are more important than RMM security in most assessments. The assessor wants to see that work was done, tracked, and performed by authorized people.

Firmware updates on firewalls and switches are typically handled by your network admin (or the MSSP’s network team) and reviewed at the defined frequency, usually at least quarterly unless a vulnerability is found that requires immediate attention. The assessor is mainly checking that you have a repeatable process and can show it’s being followed. Like most of CMMC, it’s about having a defined process, documenting that you follow it, and being able to explain it.

Include the MSP’s maintenance process in your SSP. If your MSP’s access controls are weak, that’s your responsibility to fix.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks and what good answers sound like

Show me your maintenance schedule or policy.

[Pull up the SSP maintenance section] Here's our schedule. Patching is monthly through our MSSP. Firmware updates are quarterly. Hardware checks happen at least annually. Emergency maintenance follows our change management process.

Show me records of maintenance performed in the past year.

[Pull up ticketing system, filter to maintenance tickets] Here are our maintenance records. You can see patching tickets monthly, a firmware update on the firewall in November, and a server disk replacement in January. Each ticket shows the date, what was done, and who did it.

How do you control access to remote maintenance tools?

Our RMM console requires MFA and is restricted to three named technicians at our MSSP plus our IT director. [Pull up RMM access list] Here's who has access. All sessions are logged with timestamps and actions taken.

What happens when a vendor needs to do on-site maintenance?

They sign in as a visitor, get escorted by our IT person, and we log the visit in our ticketing system. [Pull up example vendor ticket] Here's the last time our copier vendor came in. The ticket shows the date, who escorted them, and what work was performed.

Do your maintenance activities ever change system baselines?

Yes. When we patch or update firmware, the baseline shifts. Our process ties back to [CM.L2-3.4.1](/practices/cm-l2-3-4-1/). The MSSP updates the baseline documentation as part of closing the maintenance ticket. The two processes are linked.

Disclaimer: This page reflects common CMMC assessment expectations as of March 2026. CMMC rules and assessment practices change. Verify current requirements with your C3PAO or CMMC documentation. This is guidance, not official CMMC standards.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SI.L2-3.14.1: Flaw Remediation All Practices RA.L2-3.11.1: Risk Assessments →