What does MA.L2-3.7.2 require for CMMC Level 2?

You must control and inspect tools used for maintenance. This means tracking which tools are used on your systems, verifying they're legitimate and not compromised, and keeping them isolated if possible.

What evidence do I need for MA.L2-3.7.2?

A list of approved maintenance tools, documentation of how you verify/inspect them, storage and control practices, and any logs showing tool usage or verification.

What's the most common failure for MA.L2-3.7.2?

No tracking of what tools exist or are used. You allow technicians to bring in and use whatever they want without verification. Assessors want to see a controlled list of tools.

MA.L2-3.7.2

MA.L2-3.7.2: Maintenance Tools

Control and inspect tools used during maintenance to ensure they don't introduce malicious code or compromise system security.

Updated March 30, 2026

Maintenance tools are a vector. A compromised diagnostic tool or vendor device can introduce malware during routine maintenance. You need to know what tools touch your systems and verify they’re legitimate.

Family Maintenance

Practice MA.L2-3.7.2

Difficulty Medium

Key evidence Approved tools list, inspection/verification records

What the assessor is actually evaluating

The assessor is checking: (1) Do you know what tools are used for maintenance? (2) Do you verify they’re legitimate and not compromised? (3) Do you control access to them? This isn’t about having a sophisticated tool management system. It’s about being deliberate. You have a list. You verify. You control. This practice ties directly to MA.L2-3.7.1 (system maintenance scheduling) and works with MA.L2-3.7.4 (media inspection) to keep maintenance tooling secure.

For many small organizations, this is simple: vendor tools come with serial numbers you verify, internal tools are stored securely, and only authorized personnel use them.

What a realistic SSP definition looks like

MA.L2-3.7.2 Maintenance Tools

All maintenance tools are maintained on an approved tools list. Tools are verified by model/serial number before use. Tools are obtained only from authorized vendors and scanned for malware before use on CUI systems. Tools are stored in a secure location with access limited to authorized maintenance staff.

Approved tools include: [vendor diagnostic tool, internal imaging tool, etc.]. Verification is documented in [maintenance log/tracking system].

How to present your evidence

Gather these items:

Approved maintenance tools list (model, serial number, vendor, purpose)
Vendor documentation or receipts showing tool legitimacy
Maintenance or maintenance log showing tools used and verification done
Documentation of tool storage and access control
If applicable, records of malware scans on tools before use

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "What tools do you use for maintenance?" A: "We have an approved list. [Vendor diagnostic tool], [internal imaging], and [network analyzer]. All are tracked and verified before use." [Pull up tools list]

Q: “How do you verify them?" A: “We check serial numbers against vendor records and scan them for malware before they touch CUI systems.”

Q: “Where are they stored?" A: “In a locked cabinet in [location]. Only [role] has access.”

Common failures

No tools list. You use maintenance tools, but you don't have a formal list of what they are. You can't point to your approved tools. Create one.

No verification process. Tools arrive from the vendor or IT brings something in. You don't verify their authenticity or integrity. Add a verification step, even if simple.

You're good here. You maintain a list of approved tools (vendor, model, serial), verify them before use, and store them securely. Maintenance logs show verification completed. Assessors confirm this is adequate and move on.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Practical implementation

If you have an MSP, they bring tools. Get them to provide a list of what they use on your systems. Add it to your approved tools list. Require them to scan those tools before use.

For internal tools (imaging software, network diagnostics), store them on a secured drive or server. Control who can copy or use them.

For one-off vendor tools, verify the serial number matches the vendor documentation before letting it touch your network.

If you use an MSP/MSSP

Many MSPs use standard diagnostic tools (Dell Diagnostics, HPE iLO, etc.). Get their list of tools and add it to your approved list. In your MSP contract, specify they must verify tools before use and you require tool manifests for each engagement. Track this in your maintenance log.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← MA.L2-3.7.3: Equipment Sanitization All Practices MA.L2-3.7.1: System Maintenance →