Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MA.L2-3.7.6 – Supervise the maintenance activities of personnel without required access authorization.
Understanding the Requirement
This control requires that any person who does not normally have maintenance access to your systems be supervised while performing maintenance tasks, and that their access be limited and time-bound where possible. The objective is to ensure maintenance personnel without required access authorization are supervised during maintenance activities; in practice this means escorting or actively monitoring temporary access, issuing accounts that expire, and treating third-party or ad-hoc maintenance as a higher-risk activity that needs oversight.
Technical Implementation
- Formalize temporary access procedures. Create a simple access request and approval workflow (ticket or form) that records the reason, scope, start/end times, and approving manager for any temporary maintenance access. Require approval before accounts are created or elevated.
- Issue time-limited accounts or credentials. Use accounts with explicit expiration dates/times for all temporary maintenance users. For local accounts on servers, set the account to auto-expire at the end of the maintenance window. If you use IAM or Active Directory, set temporary group memberships that automatically drop at expiration.
- Enforce least privilege for maintenance tasks. Grant only the privileges required for the specific maintenance job. Avoid broad administrator access; use role-scoped accounts or temporary sudo/jump-account mechanisms so elevated rights are constrained to the necessary systems and commands.
- Supervise and monitor sessions. Assign a named employee to supervise each maintenance activity. Supervision can be physical (escort in the server room) or technical (remote screen sharing, session recording, or a jump host with session logging). Ensure logs capture who initiated the session, commands executed, and timestamps.
- Record and retain evidence. Enable audit logging for maintenance sessions and retain logs for an appropriate period (aligned with your incident response / compliance policy). Store the maintenance ticket, supervisor name, start/end times, and session logs together so you can review what was done if needed.
- Use contractual and administrative controls for third parties. Require consultants and vendors to sign maintenance access agreements that specify supervision, confidentiality, and account expiration rules. Include a clause requiring the vendor to coordinate access through your request process and to accept supervision.
Example in a Small or Medium Business
A mid-sized engineering firm hires an external consultant to update firmware on a production file server. Before any access is granted, the consultant submits a maintenance request through the company’s ticketing form stating the work, date, and estimated duration. The IT manager approves the request and assigns a systems administrator to supervise. The admin creates a temporary domain account and places the consultant into a temporary “maintenance” group that expires at 17:00 the same day. During the work the supervisor joins the remote session, watches via screen sharing, and logs key actions in the ticket notes. The supervisor also ensures console access is handled through a jump host that captures the session transcript. At the end of the day the temporary account is automatically disabled, the supervisor closes the ticket with an entry summarizing actions taken, and the firm retains the session log and the signed contractor maintenance agreement for future audits. Because the process is documented and repeatable, the firm reduces risk while allowing the necessary maintenance activity to proceed.
Summary
Combining a clear administrative policy (request/approval, supervisor assignment, and vendor agreements) with practical technical controls (time-limited accounts, least privilege, supervised or recorded sessions, and retained logs) ensures maintenance personnel without normal access are properly supervised. For SMBs this approach is low-cost and effective: it limits exposure during temporary maintenance, creates an audit trail for oversight, and gives managers confidence that external or one-off maintainers cannot perform unsupervised, persistent changes to critical systems.
