NIST 800-53 REV 5 • MAINTENANCE

MA-5Maintenance Personnel

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

Practitioner Notes

Anyone performing maintenance on your systems needs to be authorized and vetted. You need a process for approving maintenance personnel and a list of who is approved, whether they are employees or contractors.

Example 1: Maintain an authorized maintenance personnel list in SharePoint or your CMDB. For each person, record their name, organization, clearance level (if applicable), what systems they are authorized to work on, and the date their authorization was last reviewed. Review the list quarterly.

Example 2: For vendor technicians, require a completed background check verification and a signed rules of behavior agreement before granting maintenance access. Escort uncleared vendor personnel at all times and log their visit in your visitor log. Have a supervisor verify their work before they leave.

More Maintenance Controls

MA-1 Policy and Procedures MA-2 Controlled Maintenance MA-2(1) Record Content MA-2(2) Automated Maintenance Activities