NIST 800-53 REV 5 • MAINTENANCE

MA-5(1)Individuals Without Appropriate Access

Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and Develop and implement {{ insert: param, ma-05.01_odp }} in the event a system component cannot be sanitized, removed, or disconnected from the system.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems.

Practitioner Notes

When maintenance must be performed by someone who does not have the appropriate security clearance or access authorization, you need extra safeguards — escorting, supervision, and sanitization of classified information before they can access the system.

Example 1: Before an uncleared technician works on a system, remove or power off any storage media containing sensitive data. Have a cleared employee escort and directly supervise the technician throughout the entire maintenance session. Document the escort and supervision in the maintenance record.

Example 2: Create a pre-maintenance checklist for uncleared personnel visits: sanitize or disconnect sensitive storage, assign an escort, brief the escort on supervision requirements, log the technician's entry and exit times, and perform a post-maintenance security check on the system before returning it to service.

More Maintenance Controls

MA-1 Policy and Procedures MA-2 Controlled Maintenance MA-2(1) Record Content MA-2(2) Automated Maintenance Activities