NIST 800-53 REV 5 • MAINTENANCE

MA-4(5)Approvals and Notifications

Require the approval of each nonlocal maintenance session by {{ insert: param, ma-04.05_odp.01 }} ; and Notify the following personnel or roles of the date and time of planned nonlocal maintenance: {{ insert: param, ma-04.05_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Notification may be performed by maintenance personnel. Approval of nonlocal maintenance is accomplished by personnel with sufficient information security and system knowledge to determine the appropriateness of the proposed maintenance.

Practitioner Notes

Each remote maintenance session should be individually approved before it begins, and designated personnel should be notified of planned maintenance. This prevents surprise access and ensures oversight.

Example 1: Require a change request ticket approved by the system owner before any remote maintenance session. Configure ServiceNow or Jira to send automated notifications to the security team, system owner, and IT manager when remote maintenance is scheduled.

Example 2: Implement a maintenance scheduling calendar in Teams or SharePoint that all remote sessions are posted to at least 24 hours in advance. The ISSO or system administrator must acknowledge the scheduled session before access credentials are provided to the technician.

More Maintenance Controls

MA-1 Policy and Procedures MA-2 Controlled Maintenance MA-2(1) Record Content MA-2(2) Automated Maintenance Activities