NIST SP 800-171
Control 3.7.6
Supervise Maintenance Activities of Personnel Without Required Access
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Supervise the maintenance activities of maintenance personnel who do not possess the required access authorization.
What This Means in Plain English
If a repair technician or vendor does not have a security clearance or proper authorization, they must be supervised at all times while working on your systems. An authorized employee must escort and observe their work.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Visitor and vendor escort policy requiring authorized PTG personnel present during all maintenance by external parties
- Visitor log documenting all external maintenance personnel with escort assignment
- Background check requirements for recurring maintenance vendors
- Temporary access credentials that expire at the end of the maintenance window
- ComplianceArmor tracking vendor maintenance visits, escorts, and activities performed
Assessment Guidance
Assessors will review vendor escort and supervision policies, check visitor logs for maintenance personnel, verify that temporary credentials are used and expire appropriately, and confirm that supervision requirements are enforced for all uncleared maintenance staff.
Common Implementation Gaps
- Vendors given unsupervised access to CUI systems
- No visitor escort policy for maintenance personnel
- Vendor personnel using persistent credentials
- No visitor log for external maintenance staff
- Background checks not required for recurring vendors
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | MA-5 |
| PCI DSS | Req 9.4 - Control physical access for visitors |
Need Help Implementing 3.7.6?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment