NIST 800-53 REV 5 • MAINTENANCE

MA-5(5)Non-system Maintenance

Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Personnel who perform maintenance activities in other capacities not directly related to the system include physical plant personnel and custodial personnel.

Practitioner Notes

Non-system maintenance — like building maintenance, HVAC, or electrical work — performed near your systems still requires access authorization. A plumber in your server room can be a security risk even if they never touch a keyboard.

Example 1: Require escort for any non-IT maintenance personnel (electricians, HVAC technicians, janitorial staff) when they work in or near server rooms or network closets. The escort must be a cleared employee who can observe their activities at all times.

Example 2: Install access controls on server room and network closet doors that restrict entry to authorized personnel only. When building maintenance staff need access, issue a temporary badge, assign an escort, and log the visit. Review the visitor log monthly.

More Maintenance Controls

MA-1 Policy and Procedures MA-2 Controlled Maintenance MA-2(1) Record Content MA-2(2) Automated Maintenance Activities