Family 3.7 6 requirements
Maintenance.
Trusted tools. Trusted people. Documented work.
The big picture
Maintenance is when systems are most exposed — uncontrolled tools, unsupervised technicians, undocumented work. Each of these is the assessor's prompt for a finding.
Theme 1
Tools and media.
3.7.1 — 3.7.3Performing maintenance with controlled tools and inspecting media for malicious code.
- 3.7.1 Maintain on Schedule. Perform and document regular maintenance — patching, updates, hardware servicing — across all CUI systems. 3.7.2 Control Maintenance Tools. Approve, track, and inspect all tools and personnel used for system maintenance. 3.7.3 Wipe Before Repair. Sanitize CUI from equipment before it leaves for off-site maintenance.
Theme 2
Process and people.
3.7.4 — 3.7.6Cleansing equipment before off-site work, MFA for non-local maintenance, and supervising external maintainers.
- 3.7.4 Scan Maintenance Media. Scan USB drives, diagnostic disks, and vendor-provided media for malware before use on CUI systems. 3.7.5 MFA for Remote Maintenance. Require multifactor authentication for all remote maintenance sessions. Terminate when complete. 3.7.6 Escort Uncleared Techs. Supervise maintenance personnel without required access authorization at all times.