Level 5 CMMC - CMMC Practices

MA.2.114  

Reference: CMMC 1.02

Family: MA

Level Introduced: 2

Practice:
Supervise the maintenance activities of personnel without required access authorization.

CMMC Clarification:
You must supervise everyone who performs maintenance activities. Sometimes a person without proper permissions has to perform maintenance on your machines. Give that individual a logon that is active only once or for a very limited time, to limit system access.

Example
You are in charge of IT operations for your company. One of your software providers has to come on-site to update the software on your company’s machines. You give the individual a temporary logon and password that expires in 12 hours. This gives him access long enough to perform the update. When he is on site, you remain with him. You supervise his activities. This ensures that he performs only the maintenance activities you directed.

3.7.6

Supervise the maintenance activities of maintenance personnel without required access authorization.

Discussion:
This requirement applies to individuals who are performing hardware or software maintenance on organizational systems, while 3.10.1 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, consultants, and systems integrators, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Organizations may choose to issue temporary credentials to these individuals based on organizational risk assessments. Temporary credentials may be for one-time use or for very limited time periods.

Source: NIST Special Publication 800-171 Rev. 2

MA-5

MAINTENANCE PERSONNEL

Description:
The organization:
    a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
    b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
    c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

Supplemental Guidance:
This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02