CMMC 2.0 Assessment Tool

Not Yet Assessed

Requirement: Perform maintenance on organizational systems.

MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.7.1 = Not Yet Assessed

Assessment Objectives (1)

3.7.1

Determine if: system maintenance is performed.

Update objective finding / evidence

Implementation Status

Assessment Type

Target Completion Date

Assessed By

Description of Implementation None

Evidence Reference

Evidence File Upload

Not Yet Assessed

📝 Assessment Methods (Examine / Interview / Test)

Examine: [SELECT FROM: System maintenance policy; procedures addressing controlled system maintenance; maintenance records; manufacturer or vendor maintenance specifications; equipment sanitization records; media sanitization records; security plan; other relevant documents or records].

Interview: [select from: Personnel with system maintenance responsibilities; personnel with information security responsibilities; personnel responsible for media sanitization; system or network administrators].

Test: [SELECT FROM: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for systems; organizational processes for sanitizing system components; mechanisms supporting or implementing controlled maintenance; mechanisms implementing sanitization of system components].

Not Yet Assessed

Requirement: Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.7.2[a] = Not Yet Assessed; 3.7.2[b] = Not Yet Assessed; 3.7.2[c] = Not Yet Assessed; 3.7.2[d] = Not Yet Assessed

Assessment Objectives (4)

3.7.2[a]

Determine if: tools used to conduct system maintenance are controlled.

Update objective finding / evidence

Implementation Status

Assessment Type

Target Completion Date

Assessed By

Description of Implementation None

Evidence Reference

Evidence File Upload

Not Yet Assessed
3.7.2[b]

Determine if: techniques used to conduct system maintenance are controlled.

Update objective finding / evidence

Implementation Status

Assessment Type

Target Completion Date

Assessed By

Description of Implementation None

Evidence Reference

Evidence File Upload

Not Yet Assessed
3.7.2[c]

Determine if: mechanisms used to conduct system maintenance are controlled.

Update objective finding / evidence

Implementation Status

Assessment Type

Target Completion Date

Assessed By

Description of Implementation None

Evidence Reference

Evidence File Upload

Not Yet Assessed
3.7.2[d]

Determine if: personnel used to conduct system maintenance are controlled.

Update objective finding / evidence

Implementation Status

Assessment Type

Target Completion Date

Assessed By

Description of Implementation None

Evidence Reference

Evidence File Upload

Not Yet Assessed

📝 Assessment Methods (Examine / Interview / Test)

Examine: [SELECT FROM: System maintenance policy; procedures addressing system maintenance tools and media; maintenance records; system maintenance tools and associated documentation; maintenance tool inspection records; security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities].

Test: [SELECT FROM: Organizational processes for approving, controlling, and monitoring maintenance tools; mechanisms supporting or implementing approval, control, and monitoring of maintenance tools; organizational processes for inspecting maintenance tools; mechanisms supporting or implementing inspection of maintenance tools; organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance].

Not Yet Assessed

Requirement: Ensure equipment removed for off-site maintenance is sanitized of any CUI.

MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.7.3 = Not Yet Assessed

Assessment Objectives (1)

3.7.3

Determine if: equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.

Update objective finding / evidence

Implementation Status

Assessment Type

Target Completion Date

Assessed By

Description of Implementation None

Evidence Reference

Evidence File Upload

Not Yet Assessed

📝 Assessment Methods (Examine / Interview / Test)

Examine: [SELECT FROM: System maintenance policy; procedures addressing controlled system maintenance; maintenance records; manufacturer or vendor maintenance specifications; equipment sanitization records; media sanitization records; security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities; personnel responsible for media sanitization; system or network administrators].

Test: [select from: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for systems; organizational processes for sanitizing system components; mechanisms supporting or implementing controlled maintenance; mechanisms implementing sanitization of system components].

Not Yet Assessed

Requirement: Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems

MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.7.4 = Not Yet Assessed

Assessment Objectives (1)

3.7.4

Determine if: media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.

Update objective finding / evidence

Implementation Status

Assessment Type

Target Completion Date

Assessed By

Description of Implementation None

Evidence Reference

Evidence File Upload

Not Yet Assessed

📝 Assessment Methods (Examine / Interview / Test)

Examine: [SELECT FROM: System maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; maintenance records; security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities].

Test: [select from: Organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance].

Not Yet Assessed

Requirement: Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.7.5[a] = Not Yet Assessed; 3.7.5[b] = Not Yet Assessed

Assessment Objectives (2)

3.7.5[a]

Determine if: multifactor authentication is required to establish nonlocal maintenance sessions via external network connections.

Update objective finding / evidence

Implementation Status

Assessment Type

Target Completion Date

Assessed By

Description of Implementation None

Evidence Reference

Evidence File Upload

Not Yet Assessed
3.7.5[b]

Determine if: nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.

Update objective finding / evidence

Implementation Status

Assessment Type

Target Completion Date

Assessed By

Description of Implementation None

Evidence Reference

Evidence File Upload

Not Yet Assessed

📝 Assessment Methods (Examine / Interview / Test)

Examine: [SELECT FROM: System maintenance policy; procedures addressing nonlocal system maintenance; security plan; system design documentation; system configuration settings and associated documentation; maintenance records; diagnostic records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities; system or network administrators].

Test: [select from: Organizational processes for managing nonlocal maintenance; mechanisms implementing, supporting, and managing nonlocal maintenance; mechanisms for strong authentication of nonlocal maintenance diagnostic sessions; mechanisms for terminating nonlocal maintenance sessions and network connections].

Not Yet Assessed

Requirement: Supervise the maintenance activities of maintenance personnel without required access authorization.

MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.7.6 = Not Yet Assessed

Assessment Objectives (1)

3.7.6

Determine if: maintenance personnel without required access authorization are supervised during maintenance activities.

Update objective finding / evidence

Implementation Status

Assessment Type

Target Completion Date

Assessed By

Description of Implementation None

Evidence Reference

Evidence File Upload

Not Yet Assessed

📝 Assessment Methods (Examine / Interview / Test)

Examine: [SELECT FROM: System maintenance policy; procedures addressing maintenance personnel; service provider contracts; service-level agreements; list of authorized personnel; maintenance records; access control records; security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities].

Test: [SELECT FROM: Organizational processes for authorizing and managing maintenance personnel; mechanisms supporting or implementing authorization of maintenance personnel].

MA — Maintenance

Assessment Objectives (1)

Assessment Objectives (4)

Assessment Objectives (1)

Assessment Objectives (1)

Assessment Objectives (2)

Assessment Objectives (1)