This guide walks small and mid‑sized organizations through a practical, step‑by‑step implementation to supervise unauthorized or third‑party maintenance personnel in order to meet NIST SP 800‑171 Rev.2 / CMMC 2.0 Level 2 control MA.L2‑3.7.6 — covering policy, technical controls, vendor agreements, and real‑world examples so you can reduce risk while maintaining operational uptime.
Why this control matters (high level)
CMMC MA.L2‑3.7.6 requires organizations to oversee maintenance personnel so that maintenance activities do not create security gaps or expose Controlled Unclassified Information (CUI). The key objective is to ensure maintenance is authorized, observed, scoped, logged, and time‑limited. For a small business, failing to supervise maintenance personnel can lead to data exfiltration, unpatched backdoors, accidental misconfiguration, or contract violations that result in lost DoD business or fines.
Implementation prerequisites and documentation
Before technical changes, put the administrative building blocks in place: a Maintenance Policy, approved Rules of Engagement (RoE) templates, standard contract clauses for vendors, an access‑approval workflow, and an incident response tie‑in that specifies how suspected misuse is handled. Example contract language: "Vendor maintenance personnel will be escorted at all times while on premises and will use time‑bound, audited remote access accounts; all sessions must be recorded and retained for 90 days." Train onsite staff who will act as escorts and assign a named point of contact for each maintenance window.
Step‑by‑step implementation (operational)
Step 1 — Authorize and scope: Require a written maintenance request specifying time window, assets, and justification. Approvals should be recorded in your ticketing system (e.g., ServiceNow, Jira) and linked to an access token (work order ID). Step 2 — Vet and contract: Ensure vendor personnel have appropriate background checks per your policy or are supervised by cleared staff; include non‑disclosure and RoE in the Statement of Work. Step 3 — Prepare the environment: snapshot or back up systems to be touched, isolate targets on a maintenance VLAN, and disable access to CUI repositories when possible before maintenance begins.
Step‑by‑step implementation (technical controls)
Step 4 — Use controlled access mechanisms: For remote access, use a bastion/jump host (e.g., OpenSSH bastion, Azure Bastion) with session recording. Configure time‑limited credentials: in AD use Set‑ADAccountExpiration to set an expiry; in AWS use STS AssumeRole with an expiration and CloudTrail enabled. For SSH, require forced commands/logging via ForceCommand and enable auditd on Linux with rules such as: -a exit,always -F arch=b64 -S execve -k execs to capture executed binaries. On Windows, enable Process Creation auditing (Event ID 4688) and forward logs to a SIEM (Splunk/ELK) or a managed logging service for retention and alerting.
Supervision methods — physical and virtual
Physical supervision: assign an escort who maintains line‑of‑sight, documents tool usage, and signs off on completion. Use temporary visitor badges and restrict mobility with badge access control. Virtual supervision: require remote vendors to connect through a managed remote desktop solution (BeyondTrust, TeamViewer Enterprise, or a recorded RDP via a bastion) and use real‑time screen sharing or session recording. Ensure all remote sessions are recorded, tamper‑resistant, and stored for the retention period in your policy.
Small business examples and scenarios
Example 1 — Local MSP onsite server repair: MSP requests a 4‑hour maintenance window; you approve via ticket, create a temporary LDAP account that expires at the window end, place the server in a maintenance VLAN via NAC (Cisco ISE or a simple VLAN change on a managed switch), and have a local IT staffer escort the technician. Example 2 — Remote firmware update from equipment vendor: vendor must connect over an authenticated VPN to a bastion host that records SSH traffic; you require the vendor to use a jump host account and you capture auditd and syslog events for the device. Example 3 — Cloud provider maintenance: use IAM roles with least privilege, require CloudTrail logging enabled for the maintenance period, and review CloudTrail events daily for anomalies.
Compliance tips, best practices, and the risk of not implementing
Best practices: enforce principle of least privilege, use multi‑factor authentication (MFA) for all maintenance accounts, rotate and expire credentials automatically, segment networks to limit blast radius, and integrate logging into your SIEM with alerts for unusual commands or data transfers. Keep RoEs and approvals automated so there is an auditable trail. Risk of non‑implementation includes data breaches, persistent compromise via backdoors or rogue accounts, operational downtime from misconfiguration, and contractual loss of defense sector work. From a compliance standpoint, lacking documented supervision and recorded evidence of oversight will fail MA.L2‑3.7.6 audits.
Conclusion — practical next steps
Start small: draft an RoE template, require written authorization in your ticketing tool, configure one bastion/jump host with session recording, and pilot the process with a trusted vendor. Schedule a quarterly review of recorded sessions and expired account audits. These incremental steps create a repeatable, auditable process that satisfies CMMC Level 2 / NIST SP 800‑171 Rev.2 expectations while keeping your small business operational and secure.
