MA.L2-3.7.6 — Supervise the maintenance activities of maintenance personnel without required access authorization.

What this control requires

Supervise the maintenance activities of maintenance personnel without required access authorization.

Source: CMMC L2 v2.13 MA.L2-3.7.6 / NIST SP 800-171 R2 3.7.6 (official control text).

Why this matters

Maintenance personnel from vendors, contractors, or third-party technicians often need privileged system access to perform repairs, updates, or diagnostics. Without supervision, an uncleared technician could intentionally or accidentally exfiltrate sensitive data, install backdoors, or misconfigure security controls. This requirement mandates that when maintenance workers lack formal security clearance or system authorization, a cleared employee must remain present during the entire maintenance session. This protects against insider threats, social engineering, and ensures accountability for all actions taken on systems containing controlled unclassified information.

What evidence assessors expect

Assessors typically look for: PDF, signed letter, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls