NIST 800-171 Control 3.7.1: System Maintenance
System maintenance is a critical security touchpoint—uncontrolled patches, updates, and repairs can introduce vulnerabilities or create audit gaps. Control 3.7.1 requires organizations to establish and enforce maintenance procedures that protect system integrity and availability. This guide walks you through implementation, evidence collection, and how to demonstrate compliance.
What this means
Control 3.7.1 requires you to perform maintenance on organizational systems in a controlled, documented manner. This includes planning maintenance activities, scheduling downtime, testing patches and updates before deployment, maintaining audit logs of all maintenance work, and ensuring maintenance doesn't compromise system security. The control applies to both hardware and software maintenance across all systems handling controlled unclassified information (CUI).
How to comply
- 1.Develop a system maintenance policy that defines procedures, schedules, and approval workflows for all maintenance activities.
- 2.Create a maintenance schedule that minimizes business disruption while ensuring timely security updates and patches.
- 3.Establish a change management process that requires testing of updates and patches in a non-production environment before deployment.
- 4.Document all maintenance activities, including dates, technicians involved, systems affected, and changes made.
- 5.Maintain audit logs and access controls to ensure only authorized personnel perform maintenance.
- 6.Review and track vendor-provided patches and security updates; prioritize critical security patches.
- 7.Conduct post-maintenance verification to confirm systems function correctly and security controls remain effective.
- 8.Periodically review maintenance logs and procedures to identify gaps and improve processes.
Evidence auditors look for
- System maintenance policy and procedure documentation
- Approved maintenance schedule or calendar
- Change management records showing testing and approval
- Maintenance logs with dates, personnel, and system details
- Audit logs documenting system changes and access during maintenance
- Patch management records and deployment logs
- Post-maintenance verification reports or checklists
- Training records for maintenance personnel on security procedures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates maintenance logging and audit trail tracking, so every patch, update, and repair is automatically documented and linked to control 3.7.1—eliminating manual log entries and reducing audit prep time.
See how GRCWatch handles this control automatically
Start free trial