Requirement text: MA.2.114: Supervise the maintenance activities of personnel without required access
authorization.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement applies to individuals who are performing hardware or software
maintenance on organizational systems, while PE.1.131 addresses physical access for
individuals whose maintenance duties place them within the physical protection perimeter
of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not
previously identified as authorized maintenance personnel, such as information technology
manufacturers, vendors, consultants, and systems integrators, may require privileged access
to organizational systems, for example, when required to conduct maintenance activities
with little or no notice. Organizations may choose to issue temporary credentials to these
individuals based on organizational risk assessments. Temporary credentials may be for
one-time use or for very limited time periods.
CMMC CLARIFICATION
You must supervise everyone who performs maintenance activities. Sometimes a person
without proper permissions has to perform maintenance on your machines. Give that
individual a logon that is active only once or for a very limited time, to limit system access.
Example
You are in charge of IT operations for your company. One of your software providers has to
come on-site to update the software on your company’s machines. You give the individual a
temporary logon and password that expires in 12 hours. This gives him access long enough
to perform the update. When he is on site, you remain with him. You supervise his activities.
This ensures that he performs only the maintenance activities you directed.
References
• NIST SP 800-171 Rev 1 3.7.6
• CERT RMM v1.2 TM:SG5.SP2
• NIST SP 800-53 Rev 4 MA-5