The Maintenance family is one of the more straightforward areas of NIST 800-171 for organizations running entirely in Microsoft GCC High. In most cloud-only environments, four of the six controls apply to infrastructure that Microsoft operates and maintains inside their sovereign government cloud data centers.

That shifts the focus of this family away from hardware maintenance and toward two practical responsibilities inside your organization. The first is ensuring systems remain patched and maintained. The second is ensuring administrative maintenance sessions, including remote administration through portals or PowerShell, are properly secured.

Organizations sometimes assume this family disappears entirely in a cloud environment. That is not quite true. The controls still apply, but the responsibility model changes.

If your environment truly processes CUI only in Microsoft 365 GCC High with no on-premises infrastructure, several controls can be marked not applicable. If any servers, networking devices, or locally maintained workstations process CUI, the scope changes and those controls must be implemented.

This article is Part 7 of the NIST 800-171 GCC High Configuration Guide. It assumes you already have a functioning Microsoft GCC High tenant, understand the shared responsibility model, and are implementing against NIST SP 800-171  Rev. 2.

MA Family Overview

Maintenance controls govern how systems are maintained and serviced throughout their lifecycle. In traditional on-premises environments, this includes controlling maintenance tools, supervising technicians, and sanitizing equipment removed for repair.

In Microsoft 365 GCC High environments, many of these responsibilities shift to Microsoft because the physical infrastructure is maintained inside Microsoft’s sovereign government cloud data centers. As a result, several Maintenance controls may be inherited from Microsoft’s FedRAMP High authorization when the CUI environment is fully cloud-hosted.

Organizations still retain responsibility for maintaining endpoints and securing administrative maintenance sessions. Patch management, device maintenance procedures, and controls for remote administrative access remain part of the organization’s CMMC scope even in a cloud-first architecture.

In a fully cloud-hosted GCC High environment, Microsoft maintains the underlying infrastructure under its FedRAMP High authorization. That includes physical hardware, maintenance tools, and personnel controls inside the Microsoft data centers.

MA controls and CMMC scope

Maintenance controls often depend heavily on how the CMMC boundary is defined.

When the CUI environment is entirely cloud-hosted in Microsoft 365 GCC High, Microsoft manages the physical maintenance of servers, storage systems, and networking infrastructure. In that case, several controls can be documented as not applicable.

However, endpoints frequently remain inside the organization’s responsibility boundary. Laptops, desktops, and administrative systems still require patching and maintenance controls. Maintenance requirements can also apply if vendors repair or maintain those devices.

Organizations should document the scoping rationale clearly in the System Security Plan so assessors understand why specific controls are marked not applicable.

MA controls and GCC High Implementation

The Maintenance family contains six controls. In cloud environments, most organizations focus on two operational areas: maintaining endpoint patching and securing remote administrative sessions.

3.7.1 System Maintenance

CMMC Practice: MA.L2-3.7.1

This control requires organizations to define and perform system maintenance activities.

In a GCC High environment, Microsoft maintains the underlying cloud infrastructure. Your responsibility focuses primarily on endpoints and tenant-level software maintenance.

Most organizations implement this through Microsoft Intune update rings that enforce patch deployment across managed devices.

Administrators typically configure update rings to deploy quality updates within a few days and feature updates after testing. This ensures security patches reach devices quickly while still allowing time to validate major upgrades.

Organizations should also document their patch management schedule, maintenance windows, and emergency patching procedures in the SSP.

Assessors reviewing this control often look for evidence that patching occurs regularly and that devices are not falling significantly behind the update schedule.

3.7.2 Maintenance Controls

CMMC Practice: MA.L2-3.7.2

This control governs the tools and personnel used to conduct system maintenance.

In cloud-hosted GCC High environments, Microsoft manages maintenance tools and personnel inside the government cloud infrastructure. These activities fall under Microsoft’s FedRAMP High authorization.

For organizations running entirely in GCC High with no on-premises CUI infrastructure, this control is typically documented as not applicable.

If the organization maintains any on-premises servers or networking equipment that process CUI, this control becomes applicable and the organization must define procedures for controlling maintenance tools and supervising maintenance personnel.

3.7.3 Equipment Sanitization

CMMC Practice: MA.L2-3.7.3

This control ensures that systems removed for off-site maintenance are sanitized of CUI before leaving the organization’s control.

For Microsoft cloud infrastructure this responsibility belongs to Microsoft, since the hardware resides within their government data centers.

However, the control can still apply to endpoint devices. If a laptop containing CUI is sent for repair or maintenance, organizations should sanitize the device before it leaves organizational control.

Most organizations address this through remote wipe procedures using Microsoft Intune or by performing a full device reset prior to repair.

3.7.4 Media Inspection

CMMC Practice: MA.L2-3.7.4

This control requires inspection of maintenance media used for diagnostic purposes.

Cloud systems rarely rely on external diagnostic media, so organizations operating entirely within Microsoft 365 typically document this control as not applicable.

If maintenance activities involve bootable media or diagnostic tools on endpoints, those tools should be scanned using Microsoft Defender before they are used.

3.7.5 Nonlocal Maintenance

CMMC Practice: MA.L2-3.7.5

This control focuses on remote maintenance sessions.

Administrative activity in Microsoft 365 is inherently remote. Administrators manage the environment through web portals, APIs, and PowerShell sessions across the internet.

Because of this, organizations must ensure administrative access requires multifactor authentication and that maintenance sessions terminate when the work is complete.

Conditional Access policies typically enforce MFA for all administrative roles. Session settings can also limit sign-in duration and prevent persistent sessions.

Organizations should also establish procedures requiring administrators to disconnect PowerShell sessions when maintenance activities are finished.

3.7.6 Maintenance Personnel

CMMC Practice: MA.L2-3.7.6

This control requires organizations to supervise maintenance personnel who do not have required access authorization.

In a fully cloud-hosted environment, Microsoft personnel maintain the infrastructure under their FedRAMP High authorization. Organizations do not directly supervise those personnel.

For environments that include on-premises infrastructure, this control requires supervision of vendors or technicians performing maintenance on systems that process CUI.

MA PowerShell commands

Maintenance controls themselves are not configured through PowerShell, but administrators frequently use PowerShell to validate patch status and administrative activity.

Export device update status (supports 3.7.1)

When using PowerShell for GCC High administration:

Connect-MgGraph -Environment USGov -Scopes "DeviceManagementManagedDevices.Read.All"

Get-MgDeviceManagementManagedDevice -All |
Select DeviceName, UserPrincipalName, ComplianceState, OperatingSystem |
Export-Csv MA_DevicePatchStatus.csv -NoTypeInformation

Review administrator sign-ins (supports 3.7.5)

Connect-MgGraph -Environment USGov -Scopes "AuditLog.Read.All"

Get-MgAuditLogSignIn -Top 50 |
Select UserPrincipalName, AppDisplayName, AuthenticationRequirement, CreatedDateTime |
Export-Csv MA_AdminSessions.csv -NoTypeInformation

These reports are commonly used to verify administrative access patterns and patch compliance across devices.

Evidence your C3PAO will likely want to see

Assessors reviewing the Maintenance family typically begin with documentation describing how maintenance activities occur in the environment.

They then review patch management configuration, endpoint update compliance reports, and administrative access policies to verify the organization is performing maintenance consistently.

Common assessment findings across the MA family

A frequent issue in this family appears when organizations mark controls as not applicable without clearly explaining the reasoning in the System Security Plan. Simply stating that the environment is cloud-based is not sufficient. The SSP should describe why specific controls are inherited from Microsoft’s cloud infrastructure.

Another recurring problem occurs when organizations overlook endpoint patch management. Even in cloud environments, laptops and workstations remain within the organization’s maintenance responsibility.

Assessors also sometimes encounter environments where administrative access requires MFA but session termination practices are unclear. Administrators leaving remote sessions open indefinitely can raise concerns about maintenance session control.

How the Maintenance Family supports other control families

Maintenance controls support several other control families by ensuring systems remain secure and properly managed throughout their lifecycle.

Regular patching and system maintenance directly support the System and Information Integrity family. Vulnerabilities that remain unpatched are one of the most common causes of security incidents, so maintaining current systems helps reduce the attack surface.

Maintenance practices also reinforce Configuration Management. When updates and maintenance activities follow defined procedures, organizations maintain consistent system configurations across their environment.

Secure maintenance sessions also intersect with Identification and Authentication controls. Administrative maintenance access should always require strong authentication and proper session controls to prevent unauthorized system changes.

In cloud environments like Microsoft 365 GCC High, these relationships become even clearer. Microsoft handles infrastructure maintenance, while organizations remain responsible for maintaining endpoints and securing administrative access to the tenant.

Get started

Maintenance controls often look simple in cloud environments, but they still require clear documentation and consistent patch management.

During a CMMC assessment, organizations should be prepared to show how they maintain endpoints under MA.L2-3.7.1 and how administrative maintenance sessions are secured under MA.L2-3.7.5. They should also document how the remaining controls are inherited from Microsoft infrastructure when the environment is fully cloud-hosted.

Secureframe Defense helps organizations document these scoping decisions and maintain evidence supporting MA.L2-3.7.1 through MA.L2-3.7.6 so assessors can clearly see how maintenance responsibilities are handled in GCC High environments.

See how Secureframe Defense automates CMMC evidence collection by scheduling a demo with a product expert.