Skip to main content
NetStable
Level 2 MA.L2-3.7.6

Supervise the maintenance activities of personnel without required access authorization

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to ensure that any maintenance activities performed by personnel who do not have the necessary access authorization are supervised. This means that if an external vendor or contractor is working on your systems, they must be closely monitored by someone who is authorized to access those systems. The goal is to prevent unauthorized access or modifications to sensitive systems that could lead to data breaches or other security incidents. For example, if a contractor is brought in to repair a server, an authorized employee should oversee the entire process to ensure that the contractor does not access or alter any data they are not supposed to.

🎯 Why It Matters

Supervising maintenance activities by unauthorized personnel is critical because it mitigates the risk of insider threats and accidental security breaches. Without proper supervision, unauthorized personnel could intentionally or unintentionally access or modify sensitive data, install malicious software, or exploit vulnerabilities in the system. A real-world example is the 2017 breach at Equifax, where attackers exploited a vulnerability in a web application that was not properly maintained. The DoD and CMMC emphasize this control to ensure that maintenance activities do not introduce vulnerabilities or compromise the integrity of systems handling Controlled Unclassified Information (CUI). The potential impact of not supervising maintenance activities includes data loss, financial penalties, and damage to the organization's reputation.

How to Implement

  1. Identify all cloud maintenance activities that require supervision.
  2. Assign authorized personnel to oversee any maintenance performed by third-party vendors.
  3. Use cloud provider tools (e.g., AWS CloudTrail, Azure Monitor) to log and monitor maintenance activities.
  4. Implement role-based access control (RBAC) to limit access to sensitive cloud resources.
  5. Regularly review logs to ensure supervision protocols are followed.
⏱️
Estimated Effort
Implementing this practice typically requires 10-15 hours of effort, including policy development, tool configuration, and training. A basic understanding of logging and monitoring tools is necessary.

📋 Evidence Examples

Maintenance Supervision Policy

Format: PDF/DOCX
Frequency: Annually
Contents: Policy outlining supervision requirements for maintenance activities.
Collection: Document created by IT/Compliance team.

Maintenance Logs

Format: CSV/Log File
Frequency: Weekly
Contents: Logs of maintenance activities, including supervisor details.
Collection: Generated by logging tools (e.g., Splunk, CloudTrail).

Training Records

Format: PDF/XLSX
Frequency: Semi-annually
Contents: Records of training sessions for authorized supervisors.
Collection: Maintained by HR/Compliance team.

Audit Reports

Format: PDF
Frequency: Quarterly
Contents: Reports from audits of maintenance supervision practices.
Collection: Generated by internal or external auditors.

Access Control Lists

Format: CSV/XLSX
Frequency: Monthly
Contents: Lists of personnel authorized to supervise maintenance.
Collection: Maintained by IT Security team.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For MA.L2-3.7.6 ("Supervise the maintenance activities of personnel without required access authorization"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how system maintenance is controlled, including scheduling, change management, tool approval, remote maintenance security, and personnel authorization. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"MA.L2-3.7.6 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to supervise the maintenance activities of personnel without required access author.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"MA.L2-3.7.6 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to supervise the maintenance activities of personnel without required access author.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"MA.L2-3.7.6 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify systems within the CUI boundary requiring maintenance
  • Document maintenance windows and change control process
  • Specify remote maintenance tools and access controls
  • Ensure this control covers all systems within your defined CUI boundary where supervise the maintenance activities of personnel without required access authorization applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Maintenance Policy
  • 📄 Change management records
  • 📄 Approved maintenance tool inventory
  • 📄 Remote maintenance session logs
  • 📄 Evidence artifacts specific to MA.L2-3.7.6
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review maintenance records for proper approval workflow, verify remote maintenance uses MFA and is logged, and check that non-company maintenance personnel are supervised.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a policy in place for supervising maintenance activities by unauthorized personnel?

✅ YES → Proceed to Q2.
❌ NO → GAP: Develop and implement a Maintenance Supervision Policy. Complete within 30 days.

Question 2: Are logs maintained for all maintenance activities, including supervisor details?

✅ YES → Proceed to Q3.
❌ NO → GAP: Configure logging tools to capture maintenance activities. Complete within 14 days.

Question 3: Are authorized personnel trained to supervise maintenance activities?

✅ YES → Proceed to Q4.
❌ NO → GAP: Conduct training sessions for authorized supervisors. Complete within 30 days.

Question 4: Are periodic audits conducted to ensure compliance with supervision protocols?

✅ YES → Proceed to Q5.
❌ NO → GAP: Schedule and conduct an audit. Complete within 60 days.

Question 5: Is access to sensitive systems restricted to authorized personnel only?

✅ YES → Compliance confirmed.
❌ NO → GAP: Review and update access control lists. Complete within 14 days.

⚠️ Common Mistakes (What Auditors Flag)

1. Failing to maintain logs of maintenance activities.

Why this happens: Organizations often overlook the importance of logging maintenance activities.
How to avoid: Use automated logging tools to capture all maintenance activities.

2. Not assigning an authorized supervisor to oversee maintenance tasks.

Why this happens: Supervision responsibilities may be unclear or overlooked.
How to avoid: Clearly define supervision roles in the Maintenance Supervision Policy.

3. Inadequate training for authorized supervisors.

Why this happens: Training may not be prioritized or properly scheduled.
How to avoid: Conduct regular training sessions and keep records of attendance.

4. Lack of periodic audits to verify compliance.

Why this happens: Audits may be seen as low priority or too time-consuming.
How to avoid: Schedule audits at regular intervals and document findings.

5. Not restricting physical access to sensitive systems.

Why this happens: Physical security measures may be inadequate.
How to avoid: Implement keycard or biometric access controls for sensitive areas.

📚 Parent Policy

This practice is governed by the Maintenance Policy

View MA Policy →

📚 Related Controls

MA.L2-3.7.5 AC.L2-3.1.1 AC.L2-3.1.2 AU.L2-3.3.1
Previous
MA.L2-3.7.5
Back to MA
Next
MP.L2-3.8.1