CMMC Level 2 Practice 3.7.6: Supervise the maintenance activities of maintenance personnel without required access

To meet CMMC Level 2 Practice 3.7.6, you must actively supervise any maintenance work performed by people who do not have the access authorizations required for the system or environment being maintained, so they cannot view, copy, or tamper with CUI or security-relevant configurations. Build a supervised maintenance process, restrict access paths, and retain proof that supervision happens in practice. ¹

Key takeaways:

• Supervision is required when maintenance personnel lack required access; “trusting the third party” is not a control. ¹
• Operationalize with controlled maintenance methods (escorted access, jump hosts, session recording, break-glass approvals) and repeatable evidence. ¹
• Assessors will look for tickets, logs, and named supervisory assignments tied to real maintenance events, not policy statements. ²

CMMC Level 2 aligns to NIST SP 800-171 Rev. 2 practices for protecting CUI in contractor environments. Practice 3.7.6 sits in the System and Communications Protection / Maintenance family and targets a common real-world gap: a third party (or internal facilities/IT staff) performs maintenance on systems that process or store CUI, but the maintainer does not have the access authorizations you require for that environment. The risk is straightforward: maintenance is a high-privilege activity, and an unsupervised maintainer can accidentally expose CUI, introduce malicious tools, or alter security configurations.

You should treat 3.7.6 as an operational requirement that spans IT operations, facilities, physical security, and third-party risk management. The fastest path is to standardize how maintenance happens (remote vs. on-site), require a supervising employee with appropriate access, and capture durable evidence every time the control is invoked.

This page gives you requirement-level implementation guidance you can put into tickets, procedures, and contracts, so you can pass a CMMC Level 2 assessment with evidence that maps cleanly to the practice. ³

Regulatory text

Practice statement (mapped): “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.7.6 (Supervise the maintenance activities of maintenance personnel without required access).” ¹

What the operator must do:
You must ensure that when a person performs maintenance without the access authorizations you normally require for the system/environment, the maintenance is supervised by personnel who do have required access, with controls that prevent the maintainer from gaining unapproved logical or physical access to CUI or sensitive system components. The outcome assessors expect is controlled maintenance execution plus evidence that supervision occurred for actual maintenance events. ⁴

Plain-English interpretation (what 3.7.6 means day-to-day)

• “Maintenance personnel” includes third-party field technicians, OEM support, MSP staff, copier/printer technicians, HVAC/building controls technicians, electricians working in comms closets, and internal staff outside the authorized admin population.
• “Without required access” means they do not meet your authorization bar for that environment (for example: no need-to-know for CUI, not approved for privileged admin access, not approved for the enclave, or not cleared/authorized per your internal policy and contract requirements).
• “Supervise” means a qualified, authorized person stays responsible for the session: approves the work, controls the access path, monitors activity, and closes out the maintenance with verification and documentation. ¹

A useful way to frame it for operations: if a maintainer shouldn’t be able to freely browse the system, plug in media, or pivot to other assets, you need a supervised method that technically and procedurally prevents that.

Who it applies to (entity and operational context)

Applies to: organizations seeking or maintaining CMMC Level 2 for contracts involving CUI. ⁵

Applies across these contexts:

• On-site maintenance in CUI areas (server rooms, network closets, labs, production lines with CUI-connected OT/ICS components).
• Remote maintenance (screen sharing, remote hands, MSP/RMM tools, OEM remote support).
• Device maintenance (MFDs, printers, VoIP, network gear, endpoints, security appliances).
• Emergency repairs (after-hours outages, break/fix scenarios) where teams often bypass normal access controls.

What you actually need to do (step-by-step)

1) Define “required access” for maintenance

Create a short standard that answers:

• Which systems/enclaves are in scope for CUI.
• What authorizations are required for maintainers (account type, MFA, VPN, privileged access management, background/contractual requirements if applicable).
• What counts as “not required access” (anyone outside that approved set).
  Output: a maintenance access standard owned by IT/security and referenced by third-party contracts. ¹

2) Inventory maintenance entry points

List how maintenance happens today:

• Physical entry: doors, cages, keys, badge groups, visitor processes.
• Logical entry: VPNs, jump boxes, RMM, OEM tools, cloud consoles, hypervisor consoles, iLO/iDRAC, KVMs.
• Media paths: USB, diagnostic dongles, firmware update methods. This inventory drives where you must enforce supervision controls. ¹

3) Standardize supervised maintenance methods (pick your patterns)

Use a small set of approved patterns; mixing ad hoc exceptions is where audit findings appear.

Approved supervision patterns (examples):

• Escorted on-site maintenance: maintainer is escorted by an authorized employee; no unaccompanied access to racks, consoles, or media.
• Supervised remote session via jump host: maintainer connects only to a controlled jump environment; an authorized admin starts the session, monitors actions, and ends access.
• Time-bound, approved access: temporary accounts with least privilege and expiration; supervisor validates scope before and after.
• Session logging/recording: record remote privileged sessions; supervisor reviews and attests for higher-risk work.

Document which patterns are allowed for which system types (for example: network gear vs. endpoints vs. production systems). ¹

4) Build the workflow in tickets (where supervision becomes provable)

In your ITSM (or a controlled form), require these fields for any maintenance touching in-scope assets:

• Requestor and third party company/person.
• Asset(s) and environment (CUI enclave or not).
• Planned access method (on-site escorted, jump host, etc.).
• Supervisor name (must be authorized for the environment).
• Maintenance window and approvals.
• Evidence attachments required at close (see below).

Make “Supervisor assigned” a hard gate before work begins. ²

5) Control tools and access paths

Technical controls make supervision real:

• Restrict inbound remote support to approved tools and approved endpoints.
• Disable direct third-party VPN access to the enclave unless explicitly approved and supervised per your method.
• Require privileged actions through controlled admin workstations or jump hosts.
• Block removable media by default; require explicit approval and scanning where allowed.

The goal is simple: the maintainer can’t bypass supervision even if they try. ¹

6) Closeout, verification, and exception handling

At ticket close:

• Supervisor attests that work stayed in scope.
• Admin reviews changed configs, new accounts, new services, firmware updates, and tool installs.
• Capture logs/screenshots/session IDs. For emergencies, allow “break-glass maintenance,” but require retrospective review and evidence capture as part of incident/problem management. ¹

7) Map the practice to recurring evidence capture

Treat 3.7.6 as a control that produces evidence continuously: sample maintenance tickets monthly/quarterly, verify supervisor assignment, and store artifacts in your assessment repository. Daydream can help you map CMMC Level 2 Practice 3.7.6: supervise the maintenance activities of maintenance personnel without required access requirement to a documented control and maintain an evidence cadence so you do not rebuild the audit trail during assessment prep. ⁶

Required evidence and artifacts to retain

Keep evidence that proves supervision happened for real events:

• Policy/procedure: supervised maintenance procedure, definitions of required access, and approved maintenance patterns. ¹
• Maintenance tickets/work orders: with supervisor assignment, approvals, timestamps, and asset IDs.
• Access records: visitor logs/badge logs for escorted visits; VPN/jump host logs for remote sessions.
• Session evidence: screen recording IDs, command logs, chat transcripts, or tool audit logs where available.
• Change verification: before/after config snapshots, change records, firmware hashes/versions if tracked, post-maintenance validation checklist.
• Third-party documentation: statements of work, maintenance reports, and contract clauses requiring adherence to your supervised access process.

Assessors generally want to trace: request → approval → supervised execution → verification → closure. ²

Common exam/audit questions and hangups

• “Show me the last few maintenance events on in-scope systems. Who supervised, and how do you know?” ²
• “How do you prevent a third party from connecting directly to production systems?” ¹
• “What’s your process for emergency break/fix work after hours?” ¹
• “Do printer/copier technicians ever access stored images or address books on MFDs, and how is that supervised?” ¹
• “If your MSP has admin access, are they ‘maintenance personnel without required access’ or are they authorized admins? Show the authorization basis.” ¹

Hangup to expect: teams claim “the third party is reputable” or “we have an NDA.” Neither substitutes for supervised maintenance evidence.

Frequent implementation mistakes and how to avoid them

1. Mistake: Policy-only compliance.
   Fix: require ticket fields, supervisor assignment, and log capture for every event.

2. Mistake: Supervision defined as “available by phone.”
   Fix: require active monitoring via escorted presence or monitored remote session, with evidence.

3. Mistake: Over-broad third-party admin accounts.
   Fix: move to time-bound access and controlled jump paths; keep standing access limited and justified.

4. Mistake: Ignoring non-IT maintenance.
   Fix: include facilities and OT/ICS maintenance paths that can touch networks or CUI-adjacent systems.

5. Mistake: No exception process for emergencies.
   Fix: define break-glass rules plus mandatory post-event review and documentation.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog for this specific practice. CMMC assessments are conducted against practice implementation and evidence expectations defined under the CMMC program, and failing to show supervised maintenance in operation is a common assessability problem because it relies on operational records, not a one-time configuration. ⁷

Risk-wise, unsupervised maintenance is a high-impact pathway for:

• CUI exposure during diagnostics or file access
• introduction of unauthorized tools or remote access mechanisms
• security control drift (logging disabled, rules changed, accounts added)

A practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Name an owner for supervised maintenance (IT operations with security sign-off).
• Write the supervised maintenance procedure and “required access” definition for in-scope systems. ¹
• Identify maintenance entry points (remote tools, closets, jump hosts, MFD servicing).
• Update ticket templates to require supervisor assignment and evidence attachments.

Days 31–60 (implement control paths and contracts)

• Implement or tighten jump host / remote support controls for third parties.
• Formalize escorted access procedures with facilities/security.
• Add contract language or SOW requirements for third parties to follow supervised maintenance steps and scheduling.
• Start capturing evidence for every maintenance event and store it in a central assessment repository. Daydream fits well here as the system to map the requirement to controls and track recurring evidence without spreadsheets. ²

Days 61–90 (prove it works and harden)

• Run an internal mini-assessment: pull a sample of maintenance events and verify end-to-end traceability.
• Fix gaps (missing supervisor names, missing logs, unapproved remote tools).
• Train IT and facilities teams on the supervision patterns and ticket gates.
• Establish ongoing review: periodic checks of maintenance tickets and third-party access logs for compliance drift. ¹

Frequently Asked Questions

If a third-party technician is fully background-checked, do we still need supervision?

If they lack your required access authorizations for the environment, 3.7.6 still expects supervised maintenance. Treat background checks as a supporting control, not a substitute for supervision evidence. ¹

Does 3.7.6 apply to our MSP with admin credentials?

If the MSP is formally authorized for that access level and environment under your access control process, they may not be “without required access.” You still need to show that privileged maintenance is controlled, logged, and governed through approved processes. ¹

What counts as “supervision” for remote maintenance?

Use a controlled access path (jump host or approved remote support) and have an authorized employee initiate, monitor, and terminate the session, backed by logs or recordings. A ticket with the supervisor’s name and session evidence is the cleanest audit story. ¹

Do printer/copier vendors fall under this requirement?

Yes if they maintain devices or systems that store, process, or can access CUI or connect into the in-scope network. Build an escorted or supervised maintenance pattern for MFD servicing and retain work orders plus access records. ¹

How do we handle after-hours break/fix when no supervisor is available?

Define an emergency procedure that still constrains access (for example, remote access only through controlled tools) and requires retrospective supervisor review with evidence capture. Document why the exception occurred and what was verified afterward. ¹

What evidence is most persuasive to a CMMC assessor?

Recent maintenance tickets tied to in-scope assets, with supervisor assignment, timestamps, approvals, and supporting logs (visitor logs, jump host logs, session records). Assessors want to see repeatability across multiple events, not a one-off example. ²

Footnotes

1. NIST SP 800-171 Rev. 2

2. DoD CMMC Program Guidance

3. DoD CMMC Program Guidance; NIST SP 800-171 Rev. 2; 32 CFR Part 170

4. NIST SP 800-171 Rev. 2; DoD CMMC Program Guidance

5. 32 CFR Part 170; DoD CMMC Program Guidance

6. DoD CMMC Program Guidance; NIST SP 800-171 Rev. 2

7. DoD CMMC Program Guidance; 32 CFR Part 170