Mapped to NIST 800-171 Requirement: 3.7.5
CMMC Assessment Objective: MA.L2-3.7.5[a]
What This Control Means
Maintenance often involves elevated privileges and access to sensitive components. This control ensures that only trusted, approved individuals perform those tasks.
This includes:
• Internal IT staff or system administrators
• Vendors or contractors brought in for equipment servicing
• Managed service providers (MSPs) or outsourced support
You must define who is allowed—and who is not.
Why It Matters
If anyone can perform maintenance:
• Unvetted individuals may gain access to CUI
• Configuration changes may go undocumented
• Malicious or negligent actions may compromise systems
• There is no accountability if something goes wrong
Restricting maintenance access reduces risk and improves auditability.
How to Implement It
1. Create a List of Authorized Personnel
• Include names, roles, or titles
• Indicate whether they are internal or external resources
2. Vet External Individuals
• Background checks, NDAs, or contractual restrictions
• Limit scope of access and monitor activity
3. Maintain Role-Based Access Control (RBAC)
• Assign only the minimum access required
• Use time-bound or task-specific access if possible
4. Review and Update Regularly
• Remove former employees or vendors who no longer need access
• Align with onboarding/offboarding procedures
5. Store the List Securely
• Use centralized documentation (e.g., part of your System Security Plan or maintenance log)
Evidence the Assessor Will Look For
• List of individuals authorized to perform system maintenance
• Policy or procedure defining the authorization process
• Background check records or access justifications (for vendors)
• Screenshots showing access control based on roles
• Logs confirming authorized personnel conducted past maintenance
Common Gaps
• No defined list—any IT admin can perform maintenance without approval
• Former employees or contractors still retain access
• No verification or vetting for third-party maintenance providers
• Maintenance roles granted permanent, excessive access
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Helping document authorized maintenance personnel and their access scope
• Enforcing role- and task-based access control for system servicing
• Logging maintenance activity by individual for traceability
• Supporting review and access removal workflows during personnel changes
• Providing evidence-ready reports showing who’s approved to touch secure systems
With Cuick Trac, maintenance access is limited, controlled, and trusted.
Final CTA
Know who can touch your systems—and make sure they’re allowed to.
Schedule a Cuick Trac demo to define, restrict, and track who’s authorized for system maintenance.