What does MA.L2-3.7.6 require for CMMC Level 2?

When external personnel (vendors, contractors, MSPs) perform maintenance, they must be supervised. This means someone authorized is present and watching to prevent unauthorized access or data theft.

What evidence do I need for MA.L2-3.7.6?

Work orders or maintenance logs noting who supervised, maintenance agreements requiring supervision, access badges or sign-in logs for external personnel, and documented supervision during maintenance.

What's the most common failure for MA.L2-3.7.6?

Letting maintenance techs work unsupervised. They have physical or remote access and no one is watching. Or you don't document who supervised the work.

MA.L2-3.7.6

MA.L2-3.7.6: Maintenance Personnel

Supervise maintenance and repair activities performed by unauthorized or external personnel to prevent unauthorized system access.

Updated March 30, 2026

A vendor tech walks into your server room. An MSP connects remotely to install a patch. If no one is watching, they could copy files, install malware, or access systems they shouldn’t. Supervision is the control. Someone authorized is present.

Family Maintenance

Practice MA.L2-3.7.6

Difficulty Medium

Key evidence Maintenance logs, supervision documentation, access records

What the assessor is actually evaluating

The assessor is checking: (1) Do you have a rule that external personnel are supervised during maintenance? (2) Do you follow it? (3) Can you show recent examples? Supervision means someone authorized is present to monitor what the technician does. For remote access, it’s less literal (you can’t physically watch a remote desktop session), but you should be monitoring.

The key distinction: “unauthorized personnel.” If it’s your staff, you don’t necessarily need direct supervision. If it’s a vendor or contractor, supervision is required. This practice sits within the broader maintenance framework (MA.L2-3.7.1) and depends on proper access controls (AC.L2-3.1.1 and AC.L2-3.1.2) to identify who counts as authorized.

What a realistic SSP definition looks like

MA.L2-3.7.6 Maintenance Personnel Supervision

All maintenance by external or unauthorized personnel is supervised by an authorized employee. Supervision includes:

Physical maintenance: An authorized employee is present in the room during the work
Remote maintenance: An authorized employee monitors the session via remote view or access logs

Work orders document the supervisor name, start time, end time, and confirmation that the person supervised the full maintenance period. Vendor agreements require notification prior to maintenance and specify supervision requirements.

For routine maintenance by contracted MSPs, supervision may be waived by [role] only if prior authorization is documented.

How to present your evidence

Gather these items:

Maintenance work orders or logs showing supervisor name for external work
Recent maintenance records (past 6-12 months) with supervision documented
Vendor agreements or service contracts specifying supervision requirements
Access badge logs or sign-in sheets showing external personnel entries
If remote, access logs showing an authorized user was monitoring or connected concurrently

Common failures

What gets flagged

No supervision. Vendor techs work alone in the server room. No one is watching. This is a direct violation. Always assign someone.

No documentation. You supervise, but you don't log it. Work order has no supervisor field. A month later, you can't prove anyone watched the maintenance. Add supervision to your work order template.

Assumed or vague supervision. Work order says "John supervised" but John wasn't actually present. Supervision needs to be intentional and deliberate.

What makes assessors move on satisfied

You're good here. Your maintenance work orders have a supervisor field. Recent orders show an authorized employee was present (or monitoring remotely) during external maintenance. Vendor agreements reference the supervision requirement. Assessors confirm this is enforced and move on.

If you use an MSP/MSSP

Tip

MSPs often work remotely with standing agreements. You don't need to watch every moment, but document that you're aware the work is happening and that it's authorized. Get an activity log from your MSP showing what was done. For critical changes, have someone monitor the first time or spot-check occasionally. Include supervision language in the MSP agreement.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks

Q: "When vendors come in, is someone supervising?" A: "Yes. An authorized employee is present during the work. We log the supervisor on the work order." [Pull up a recent work order with supervision documented]

Q: “Can you show me an example?" A: “[Date], [vendor] replaced a hard drive. [Employee name] supervised the entire maintenance period. Here’s the work order.”

Q: “What about remote maintenance?" A: “We monitor remote sessions. An authorized person is present and watching, or we have access logs showing we were monitoring.”

Q: “What if the technician needs to work after hours?" A: “We still supervise, or we record the session so we can review it afterward.”

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← MP.L2-3.8.1: Media Protection All Practices MA.L2-3.7.5: Nonlocal Maintenance →