MA.L2-3.7.6 · NIST SP 800-171 3.7.6

Maintenance Personnel

Supervise the maintenance activities of maintenance personnel without required access authorization.

1 point if not metPOA&M eligible1 assessment objective

What an assessor scores, the objectives

MA.L2-3.7.6 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.maintenance personnel without required access authorization are supervised during maintenance activities

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For MA.L2-3.7.6, an assessor uses these:

Examine

System maintenance policy; procedures addressing maintenance personnel; service provider contracts; service- level agreements; list of authorized personnel; maintenance records; access control records; system security plan; other relevant documents or records

Interview

Personnel with system maintenance responsibilities; personnel with information security responsibilities

Test

Organizational processes for authorizing and managing maintenance personnel; mechanisms supporting or implementing authorization of maintenance personnel

What it means, in context

This requirement applies to individuals who are performing hardware or software maintenance on organizational systems, while PE.L2 -3.10.1 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, consultants, and systems integrators, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Organizations may choose to issue temporary credentials to these individuals based on organizational risk assessments. Temporary credentials may be for one-time use or for very limited time periods.

Individuals without proper permissions must be supervised while conducting maintenance on organizational machines. Consider creating temporary accounts with short- term expiration periods rather than regular user accounts. Additionally, limit the permissions and access these accounts have to the most restrictive settings possible. Example One of your software providers has to come on- site to update the software on your company’s computers. You give the individual a temporary logon and password that expires in 12 hours and is limited to accessing only the computers necessary to complete the work [a]. This gives the technician access long enough to perform the update. You monitor the individual’s physical and network activity while the maintenance is taking place [a] and revoke access when the job is done. Potential Assessment Considerations • Are there processes for escorting and supervising maintenance personnel without required access authorization (e.g., vendor support personnel, short- term maintenance contractors) during system maintenance [a]?

What passing evidence looks like

The supervision rule for maintenance personnel without escort free access: vendors and technicians are escorted or supervised while working on CUI systems, plus a visit record.

Common ways contractors fail MA.L2-3.7.6

  • !The copier technician standing alone next to the CUI workstation is the textbook miss. Escort rule plus the sign in sheet from PE.L2-3.10.3 covers it, reference the same log.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove MA.L2-3.7.6, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

MA.L2-3.7.6 questions, answered

How many points is CMMC requirement MA.L2-3.7.6 worth?+

MA.L2-3.7.6 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.

Can MA.L2-3.7.6 be placed on a POA&M?+

Yes. A gap on MA.L2-3.7.6 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.

What family does MA.L2-3.7.6 belong to?+

MA.L2-3.7.6 is in the Maintenance (MA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.7.6