Supervising maintenance personnel — whether they are internal technicians, contractors, or third-party vendors — is a critical requirement under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control MA.L2-3.7.6; an audit-ready checklist translates that control into repeatable, defensible steps that protect Controlled Unclassified Information (CUI) and produce the artifacts auditors expect.
What MA.L2-3.7.6 requires (practical interpretation)
At a practical level, MA.L2-3.7.6 requires organizations to ensure that maintenance personnel who perform maintenance on systems containing CUI are properly authorized and supervised so CUI confidentiality, integrity, and availability are preserved. For a small business this means documenting who is allowed to touch what systems, how they are escorted or monitored, the constraints on their actions, and collecting traceable evidence (tickets, logs, signatures) that supervision actually occurred.
How to build an audit-ready checklist — step-by-step
Pre-maintenance — authorization, identity, and scope
Your checklist should begin with verification: 1) Confirm identity (photo ID matched to vendor roster or employee record), 2) Confirm authorization (approved work order or change ticket with unique ID), 3) Confirm scope (assets & asset IDs listed, systems containing CUI clearly flagged), and 4) Confirm background and training (on-file background check or current vendor vetting and CUI handling training). For small businesses using an MSP example: require the MSP to provide a signed service order (ticket ID), technician name, company name, and one-time access token before any onsite or remote maintenance.
Technical controls and pre-work technical steps
Include concrete technical tasks on the checklist: isolate affected systems (VLAN segmentation, network ACLs), disable unnecessary remote interfaces, and require the use of a bastion host / jump box with MFA and session recording for remote maintenance. Capture pre-maintenance artifacts: current configuration snapshot (configuration export, file system hash), full backup verified and stored offsite or offline, and timestamped screenshots of current system state. Ensure system clocks are synchronized (NTP) so logs and artifacts are correlatable during audit.
Supervision during maintenance — methods and evidence
Define what “supervision” means operationally: an authorized supervisor must either physically escort the technician or be on an authenticated, recorded session (VoIP + screen record + SIEM entry). Checklist items: supervisor name and contact, method of supervision (physical/remote), start/end timestamps, scope deviations documented, and supervisor affirmation (digital signature or stamped ticket closure). Real-world example — a small business server replacement: the supervisor signs the work order, stays in the server room, documents component serial numbers, and observes the technician verify data destruction/transfer procedures after the swap.
Audit artifacts to collect and how to store them
Auditors expect verifiable artifacts. Your checklist should require collecting: the approved change ticket, signed authorization forms or NDAs, technician identity proofs, PAM session recordings, jump-host logs, SIEM entries showing session start/stop and commands, pre/post configuration exports, backup verification records, photos of physical work (asset tags, serial numbers), and a supervisor sign-off (digital or paper). Store these artifacts in a tamper-evident repository (WORM storage or an append-only log in your ITSM) with access controls and a documented retention period aligned to contract and organizational policy (commonly 3–7 years depending on contract requirements).
Post-maintenance verification and documentation
Checklist items for wrap-up: validate system functionality with predefined tests, verify CUI was not moved or exposed (scan for unexpected open ports, validate ACLs), re-enable interfaces only after supervisor sign-off, and update the CMDB/asset register with any component or configuration changes. Create a concise “post-maintenance report” template that includes: what was changed, why, who performed the work, who supervised, and links to all collected artifacts. For small businesses, this might live as a completed ticket in an ITSM like ServiceNow, Jira Service Management, or a secure shared drive with restricted permissions.
Risk of not implementing MA.L2-3.7.6 properly
Failing to supervise maintenance personnel increases risk of CUI exposure, intentional or accidental data leaks, implanting persistent malware, and unauthorized configuration changes that enable lateral movement. For companies with DoD contracts, this can lead to contract suspension, loss of eligibility, or penalties in addition to reputational damage. In practical terms, an unsupervised contractor could exfiltrate CUI onto removable media or introduce compromised firmware that remains dormant until a later exploitation window.
Compliance tips and best practices
Make your checklist part of routine change management and enforce it with automation where possible: integrate the checklist into your ITSM so work cannot proceed without required approvals; use just-in-time privileged access (PAM) to grant time-limited privileges and record all privileged sessions; require session recording and immutable logs shipped to a centralized SIEM; run periodic spot audits and tabletop exercises to validate the checklist; and maintain a vendor management file with signed NDAs, background check attestations, and current training records. Small businesses should prioritize low-cost controls that deliver high audit value: photographed evidence, timestamped tickets, and using cloud storage with versioning and access logs.
In summary, converting MA.L2-3.7.6 into an audit-ready checklist means formalizing identity and authorization checks, enforcing technical isolation and session recording, requiring supervisor presence or recorded supervision, and collecting a standard set of tamper-evident artifacts stored under controlled retention. Implement these steps in your ITSM and PAM workflows, run regular tests, and maintain clear documentation so an auditor can trace every maintenance event from approval to closure.
