NIST SP 800-171 Rev 2 practice 3.7.6 requires organizations to supervise the maintenance activities of maintenance personnel who do not possess the required access authorizations for the systems on which they are working. This means any technician — whether an external vendor, contractor, or internal staff member — who lacks appropriate personnel security vetting or system access credentials must be escorted or continuously monitored while performing maintenance. The supervision must be active and qualified: the escort or supervisor must be someone who does hold the required access authorization and understands what the maintenance personnel are doing. The practice closes the insider threat and data exposure gap that arises when uncleared or unauthorized individuals interact with systems that process, store, or transmit CUI.
Where it stops · what it isn't
- —This practice does not govern the scheduling or authorization of maintenance work itself — that is addressed by MA-L2-3.7.1 and MA-L2-3.7.2.
- —This practice does not cover the use of remote diagnostic tools or remote maintenance sessions, which are addressed by MA-L2-3.7.4 and MA-L2-3.7.5.
- —This practice does not establish the personnel security screening requirements that determine who holds 'required access authorization' — that is the domain of PS-L2-3.9.1.
- —This practice does not dictate physical access control mechanisms for entering maintenance areas — that is addressed by PE controls under Physical Protection (3.10.x).
- —This practice does not address the sanitization or removal of equipment for off-site maintenance, which is covered by MA-L2-3.7.3.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/maintenance