MA.L2-3.7.6

MA.L2-3.7.6: Maintenance Personnel

Supervise maintenance and repair activities performed by unauthorized or external personnel to prevent unauthorized system access.

A vendor tech walks into your server room. An MSP connects remotely to install a patch. If no one is watching, they could copy files, install malware, or access systems they shouldn’t. Supervision is the control. Someone authorized is present.

Family Maintenance
Practice MA.L2-3.7.6
Difficulty Medium
Key evidence Maintenance logs, supervision documentation, access records

What the assessor is actually evaluating

The assessor is checking: (1) Do you have a rule that external personnel are supervised during maintenance? (2) Do you follow it? (3) Can you show recent examples? Supervision means someone authorized is present to monitor what the technician does. For remote access, it’s less literal (you can’t physically watch a remote desktop session), but you should be monitoring.

The key distinction: “unauthorized personnel.” If it’s your staff, you don’t necessarily need direct supervision. If it’s a vendor or contractor, supervision is required. This practice sits within the broader maintenance framework (MA.L2-3.7.1) and depends on proper access controls (AC.L2-3.1.1 and AC.L2-3.1.2) to identify who counts as authorized.

What a realistic SSP definition looks like

MA.L2-3.7.6 Maintenance Personnel Supervision

All maintenance by external or unauthorized personnel is supervised by an authorized employee. Supervision includes:

  • Physical maintenance: An authorized employee is present in the room during the work
  • Remote maintenance: An authorized employee monitors the session via remote view or access logs

Work orders document the supervisor name, start time, end time, and confirmation that the person supervised the full maintenance period. Vendor agreements require notification prior to maintenance and specify supervision requirements.

For routine maintenance by contracted MSPs, supervision may be waived by [role] only if prior authorization is documented.

How to present your evidence

Gather these items:
  • Maintenance work orders or logs showing supervisor name for external work
  • Recent maintenance records (past 6-12 months) with supervision documented
  • Vendor agreements or service contracts specifying supervision requirements
  • Access badge logs or sign-in sheets showing external personnel entries
  • If remote, access logs showing an authorized user was monitoring or connected concurrently
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "When vendors come in, is someone supervising?" A: "Yes. An authorized employee is present during the work. We log the supervisor on the work order." [Pull up a recent work order with supervision documented]

Q: “Can you show me an example?" A: “[Date], [vendor] replaced a hard drive. [Employee name] supervised the entire maintenance period. Here’s the work order.”

Q: “What about remote maintenance?" A: “We monitor remote sessions. An authorized person is present and watching, or we have access logs showing we were monitoring.”

Q: “What if the technician needs to work after hours?" A: “We still supervise, or we record the session so we can review it afterward.”

Common failures

No supervision. Vendor techs work alone in the server room. No one is watching. This is a direct violation. Always assign someone.
No documentation. You supervise, but you don't log it. Work order has no supervisor field. A month later, you can't prove anyone watched the maintenance. Add supervision to your work order template.
Assumed or vague supervision. Work order says "John supervised" but John wasn't actually present. Supervision needs to be intentional and deliberate.
You're good here. Your maintenance work orders have a supervisor field. Recent orders show an authorized employee was present (or monitoring remotely) during external maintenance. Vendor agreements reference the supervision requirement. Assessors confirm this is enforced and move on.
Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Practical implementation

Create a simple rule: No external personnel touch systems without an authorized employee present. For physical access, that person is in the room. For remote access, that person is aware it’s happening and can monitor if needed.

For regularly scheduled maintenance (monthly vendor support), you can document standing supervision agreements. “Vendor X comes in on Tuesdays, John always supervises.” Still log it for each occurrence.

For after-hours emergency work, document it especially carefully. “System was down, vendor accessed remotely, [employee] was monitoring via [method].”

If you use an MSP/MSSP

MSPs often work remotely with standing agreements. You don't need to watch every moment, but document that you're aware the work is happening and that it's authorized. Get an activity log from your MSP showing what was done. For critical changes, have someone monitor the first time or spot-check occasionally. Include supervision language in the MSP agreement.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← MP.L2-3.8.1: Media Protection All Practices MA.L2-3.7.5: Nonlocal Maintenance →