Part of a Collection
This article is part of the collection: The 14 CMMC Domains: A Comprehensive Guide
CMMC Deep Dive: Maintenance (MA)
A guide to the Maintenance (MA) domain, focusing on the secure performance of system maintenance.
Published: June 25th, 2024By: CMMC Dashboard TeamLast updated: August 7th, 2025
MaintenanceMARemote AccessSanitization
This article is part of our series on The 14 CMMC Domains.
The Maintenance (MA) domain ensures that all maintenance activities, whether performed by internal staff or external vendors, are conducted securely to prevent the introduction of new vulnerabilities.
Why It Matters
Maintenance activities often require privileged access, making them a potential vector for attack if not properly controlled. This domain protects against risks associated with remote maintenance, off-site repairs, and the use of diagnostic tools.
Key Practices
- MA.L2-3.7.1: Perform maintenance on organizational systems.
- MA.L2-3.7.2: Control the tools, techniques, and personnel used for maintenance.
- MA.L2-3.7.3: Ensure equipment removed for off-site maintenance is sanitized of CUI.
- MA.L2-3.7.5: Require MFA for nonlocal maintenance sessions.
What Assessors Look For
- A documented system maintenance policy.
- Records of maintenance activities.
- Procedures for controlling remote maintenance sessions.
- Evidence of media sanitization for off-site repairs.