Mapped to NIST 800-171 Requirement: 3.7.5
CMMC Assessment Objective: MA.L2-3.7.5[b]
What This Control Means
After identifying who is authorized to perform maintenance (MA.L2-3.7.5[a]), you must now verify that list is documented and available.
That documentation should:
• Include names, roles, or titles of authorized individuals
• Distinguish between internal staff and third-party personnel
• Define approval procedures or required qualifications
• Reference how access is granted and reviewed
This documentation helps confirm that your maintenance process is controlled and auditable.
Why It Matters
Without documented authorization:
• There’s no clear accountability for maintenance activities
• Unauthorized individuals may perform unsanctioned updates or changes
• Your organization risks CUI exposure, system misconfiguration, or audit failure
• Internal teams may not know who is allowed to perform what kind of work
Proper documentation supports secure, consistent operations.
How to Implement It
1. Maintain a Formal List
• Create and maintain a list in a shared, secured location
• Include names (or roles) and system scopes
2. Integrate With Policy
• Embed the list or reference it within:
◦ Access Control Policy
◦ System Security Plan (SSP)
◦ Maintenance or Configuration Management Procedures
3. Include Vendor Access Info
• For third-party or MSP access:
◦ List authorized contacts
◦ Link to contracts, NDAs, or vetting records
4. Keep It Up to Date
• Review and update during personnel changes
• Align with onboarding/offboarding processes
5. Make It Available for Audits
• Store in a compliance folder or dashboard for easy reference
Evidence the Assessor Will Look For
• Maintenance policy or SSP listing authorized maintenance personnel
• Internal documentation showing approved individuals or roles
• Vendor documentation for external maintenance providers
• Access approval workflows tied to maintenance privileges
• Evidence that the list is reviewed and maintained
Common Gaps
• No written list—authorization is verbal or assumed
• Outdated documentation listing former employees or vendors
• No link between access control and maintenance responsibilities
• Lack of visibility into who can service CUI systems
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Providing a centralized platform to document and manage authorized personnel
• Linking personnel to systems and specific maintenance scopes
• Tracking access approvals and role-based authorizations
• Supporting regular reviews and update workflows
• Making documentation easily accessible for audits and assessments
With Cuick Trac, maintenance authorization is documented, tracked, and aligned with compliance.
Final CTA
Don’t just know who’s authorized—prove it.
Schedule a Cuick Trac demo to centralize your maintenance personnel documentation and show full compliance.