Maintenance 3.7.6 (3.7.6)

Supervise the maintenance activities of maintenance personnel without required access authorization.

Get Full Guidance

What Is This CMMC Control?

When maintenance work is performed by personnel who don't have normal access authorization to your systems, you must supervise them during the entire maintenance activity. This applies to both internal staff performing unusual maintenance and external vendors, contractors, or consultants who need temporary access to fix or update systems. Supervision ensures that unauthorized individuals cannot access, modify, or compromise CUI while performing legitimate maintenance tasks.

Control Intent

To prevent unauthorized access to CUI and system components by ensuring that maintenance personnel without standing access authorization are continuously monitored during maintenance activities, thereby reducing the risk of intentional or accidental data exposure, system compromise, or malicious activity.

Who This Control Applies To

  • Organizations that use external vendors, contractors, or consultants for system maintenance
  • Organizations where internal IT staff occasionally perform maintenance outside their normal authorization scope
  • Any system or component that stores, processes, or transmits CUI
  • Maintenance activities including hardware repair, software updates, troubleshooting, and system configuration changes
  • Both on-site and remote maintenance activities requiring system access

Not Applicable When

  • Maintenance personnel already possess the required access authorization for the systems being maintained
  • Maintenance activities do not involve access to systems, networks, or areas containing CUI
  • Maintenance is performed entirely through automated processes without human interaction
  • The maintenance personnel are already authorized users with appropriate clearances and access rights for the specific systems

Key Objectives

  • 1Ensure maintenance personnel without required access authorization do not have unsupervised access to systems containing CUI
  • 2Prevent unauthorized disclosure, modification, or destruction of CUI during maintenance activities
  • 3Maintain accountability and oversight of all maintenance activities performed by non-authorized personnel
  • 4Reduce the risk of malicious insider activity or accidental security incidents during maintenance operations

Sample Self-Assessment Questions (Partial)

Do you ever use external vendors, contractors, or consultants to perform maintenance on your systems?

Do you have internal IT staff who occasionally need to perform maintenance on systems they don't normally access?

Implementation Approaches (High-Level)

Physical Supervision with Documentation

Authorized personnel physically present during all maintenance activities, with documented oversight and activity logging.

Remote Supervision with Technical Controls

Real-time monitoring and control of remote maintenance sessions through screen sharing, session recording, and access restrictions.

Temporary Credential Management with Supervision

Issuance of time-limited, scope-restricted credentials to maintenance personnel, combined with supervision and automated revocation.

Managed Service Provider (MSP) Supervision Framework

Contractual and technical controls for supervising ongoing maintenance activities performed by MSPs or outsourced IT providers.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If supervision is not currently occurring, prioritize implementing supervision for highest-risk maintenance activities first (e.g., systems with CUI, privileged access maintenance) Document current state of maintenance supervision practices and identify gaps Develop or update policies and procedures to define supervision requirements Implement technical controls for remote maintenance supervision if remote access is common Establish a process for assigning supervisory personnel to all maintenance activities Create documentation templates for recording supervised maintenance activities Train supervisory personnel on their responsibilities and what constitutes adequate supervision Implement temporary credential management processes if not already in place Conduct a review of all vendor and contractor maintenance activities to identify unsupervised access Set a timeline for achieving full compliance, with interim milestones for high-risk systems Consider compensating controls (e.g., enhanced logging, post-maintenance reviews) during the POA&M period Regularly review and update the POA&M based on progress and changing maintenance needs

Related CMMC Controls

3.1.13.1.23.1.53.10.13.10.23.12.13.12.2

Frequently Asked Questions

What qualifies as 'supervision' under this control?

Supervision means continuous oversight by an authorized individual throughout the entire maintenance activity. For physical maintenance, this typically means being present in the same room and observing the work. For remote maintenance, this means real-time monitoring through screen sharing, session recording, or similar technical controls. Simply checking in periodically or reviewing logs after the fact does not constitute adequate supervision.

Do we need to supervise our regular IT staff when they perform maintenance?

Only if they are performing maintenance on systems for which they do not have required access authorization. If your IT staff already have appropriate access rights and authorization for the systems they are maintaining, supervision is not required under this control. However, if they are working on systems outside their normal scope of authorization, supervision is required.

How do we supervise remote maintenance performed by vendors?

Remote maintenance supervision requires technical controls such as screen sharing, session recording, or privileged access management (PAM) solutions that allow real-time monitoring. An authorized employee should be able to observe the remote session in real-time and have the ability to terminate the session if needed. All remote sessions should be recorded for later review, and access should be granted only for the specific maintenance window.

Can we use video surveillance instead of physical supervision?

Video surveillance alone is not sufficient for supervision under this control. Supervision requires an authorized individual who can observe the maintenance activities in real-time and intervene if necessary. While video surveillance can supplement supervision or provide evidence of supervision, it does not replace the need for an authorized person to actively oversee the maintenance work.

What should we do if we need emergency maintenance and no supervisor is available?

Organizations should have contingency procedures for emergency maintenance situations. Options include: having on-call supervisory personnel available 24/7, implementing enhanced technical controls (such as read-only access or highly restricted permissions) for emergency situations, or accepting the risk and documenting the unsupervised access as an exception with compensating controls. Any unsupervised emergency maintenance should be documented, reviewed, and reported according to your incident response procedures.

How long do we need to keep documentation of supervised maintenance activities?

Maintenance supervision documentation should be retained according to your organization's record retention policy, but at minimum for the duration of your CMMC certification period (typically three years). Assessors will typically review maintenance activities from the past 12 months during an assessment, so you should ensure at least one year of documentation is readily available.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.