03.07.06 — (a) Establish a process for maintenance personnel authorization. (b) Maintain a list of authorized maintenance organizations or personnel. (c) Verify that non-escorted personnel who perform maintenance on the system possess the required access authorizations. (d) Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

What this control requires

(a) Establish a process for maintenance personnel authorization. (b) Maintain a list of authorized maintenance organizations or personnel. (c) Verify that non-escorted personnel who perform maintenance on the system possess the required access authorizations. (d) Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

Source: NIST SP 800-171 R3 §03.07.06 (official control text).

Why this matters

This control ensures that anyone touching your systems — whether employees, contractors, or third-party vendors — has appropriate clearance and oversight. Unvetted maintenance personnel can introduce backdoors, exfiltrate data, or inadvertently damage systems. By requiring authorization lists, verification of credentials, and supervision of non-cleared individuals, organizations prevent unauthorized access disguised as legitimate maintenance. This is especially critical when vendors arrive unannounced or when break-fix scenarios demand rapid privileged access. The control protects both the technical integrity of systems and the confidentiality of data they process.

What evidence assessors expect

Assessors typically look for: PDF, CSV export, screenshot, log file. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls