NIST 800-171 • LEVEL 2 • MAINTENANCE
3.7.6 — Maintenance Personnel
Establish a process for maintenance personnel authorization. Maintain a list of authorized maintenance organizations or personnel. Verify that non-escorted personnel who perform maintenance on the system possess the required access authorizations. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- a process for maintenance personnel authorization is established.
- a list of authorized maintenance organizations or personnel is maintained.
- organizational personnel with required access authorizations are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.
- organizational personnel with required technical competence are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.
- non-escorted personnel who perform maintenance on the system possess the required access authorizations.
Practitioner Notes
You need to know exactly who is authorized to perform maintenance on your systems, and anyone who is not on that list needs to be escorted and supervised by someone who is.
Example 1: Maintain an authorized maintenance personnel list in your security documentation — this can be a simple roster with names, organizations, clearance levels (if applicable), and the specific systems they are authorized to maintain. Review and update it quarterly or whenever personnel change.
Example 2: For third-party maintenance technicians who do not have the required access authorization, assign a cleared and technically competent employee to escort them at all times. Log the escort activity in your visitor/maintenance log, including arrival time, departure time, escort name, and a summary of work performed.