MA-5: Maintenance Personnel

Control Family:


CSF v1.1 References:

PF v1.0 References:

Threats Addressed:


  • Low
    • MA-5
  • Moderate
    • MA-5
  • High
  • Privacy


Previous Version:

Control Statement

  1. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;
  2. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and
  3. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

Supplemental Guidance

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel-such as information technology manufacturers, vendors, systems integrators, and consultants-may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

Control Enhancements

MA-5(1): Individuals Without Appropriate Access


  • High

Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational…

MA-5(2): Security Clearances for Classified Systems


(Not part of any baseline)

Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for compartments of information on the system.

MA-5(4): Foreign Nationals


(Not part of any baseline)

Ensure that: Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and Approvals, consents, and detailed operational conditions regarding the use…

MA-5(5): Non-system Maintenance


(Not part of any baseline)

Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.