NIST 800-171 3.7.2: Control System Maintenance Tools & Personnel
System maintenance creates blind spots in security—unauthorized tools and unvetted personnel can bypass your controls entirely. NIST 800-171 3.7.2 requires you to establish strict oversight of maintenance activities, tools, and staff to prevent unauthorized access and system compromise. This control is critical for organizations protecting controlled unclassified information (CUI).
What this means
Control 3.7.2 mandates that organizations establish and enforce policies governing the tools, techniques, mechanisms, and personnel authorized to perform system maintenance. This includes defining what maintenance activities are permitted, who can perform them, which tools are approved, and under what conditions. The control ensures maintenance doesn't become a backdoor for unauthorized access or malicious activity. It applies to both internal staff and external contractors, and covers both physical and logical maintenance.
How to comply
- 1.Document a system maintenance policy defining approved tools, techniques, and authorized personnel roles
- 2.Create an approved tools list and maintenance toolkit inventory with version control and integrity verification
- 3.Establish personnel qualification and training requirements before granting maintenance access
- 4.Require pre-maintenance authorization with documented purpose, scope, and scheduled timeframe
- 5.Implement monitoring and logging of all maintenance activities, including tool usage and system changes
- 6.Enforce separation of duties—maintenance personnel should not bypass monitoring or audit controls
- 7.Conduct post-maintenance reviews and testing to verify no unauthorized changes were made
- 8.Restrict physical and logical access to maintenance tools; store securely when not in use
- 9.Require background checks and security clearances for personnel with maintenance access to CUI systems
Evidence auditors look for
- System maintenance policy document with approved tools and personnel roles defined
- Maintenance toolkit inventory with MD5/SHA hashes or digital signatures for integrity verification
- Training records and certifications for maintenance personnel
- Maintenance request and approval logs with business justification and authorization signatures
- System maintenance activity logs showing timestamps, personnel, tools used, and changes made
- Configuration management records documenting pre- and post-maintenance system states
- Access control lists limiting maintenance tool distribution to authorized personnel
- Post-maintenance testing reports and change verification documentation
- Background check and security clearance records for maintenance staff
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates maintenance tool inventory tracking, approval workflows, and activity logging—eliminating manual spreadsheets and ensuring audit-ready evidence for 3.7.2 compliance.
See how GRCWatch handles this control automatically
Start free trial