MA-5(4): Foreign Nationals

10 min readLast verified: February 2026By

MA-5(4): Foreign Nationals requires you to control and formally authorize any maintenance performed by foreign nationals, with explicit conditions, oversight, and evidence that access to systems and data is restricted to what is approved. To operationalize it, you need an intake-and-approval workflow for maintenance personnel nationality status, contractual controls, supervised access procedures, and audit-ready logs and attestations. 1

Key takeaways:

  • Treat “foreign national maintenance” as a gated activity that requires documented approval, scope limits, and supervision. 1
  • Operational success depends on tight identity/access controls plus maintenance session monitoring and records retention. 1
  • Auditors will look for evidence of authorization, controlled access paths, and repeatable execution, not a policy statement. 2

The ma-5(4): foreign nationals requirement sits in the Maintenance (MA) family and is easy to “write” but harder to run. The practical problem is straightforward: maintenance work often needs elevated access, time-sensitive execution, and third-party support. If the personnel performing that work are foreign nationals (including certain subcontractors), you need additional controls to prevent unauthorized exposure of federal system components, sensitive configurations, logs, or regulated data.

For a CCO, GRC lead, or system owner, the fastest path to compliance is to turn this into an operational gate with three inputs: (1) who is doing the maintenance (identity and nationality status per your defined process), (2) what they can touch (explicit scope, least privilege, segregated maintenance paths), and (3) how you prove it later (approvals, monitoring evidence, and maintenance records). NIST SP 800-53 Rev. 5 provides the control structure, and your job is to translate it into a workflow that engineering and procurement can execute repeatedly without “special favors” during outages. 3

Regulatory text

Excerpt (as provided): “Ensure that:” 1

Operator interpretation of the excerpt: The provided catalog excerpt is truncated, but the enhancement label “MA-5(4): Foreign Nationals” indicates the control expectation: you must ensure maintenance involving foreign nationals is explicitly managed and constrained through authorization, access restrictions, oversight, and evidence. Your implementation should read as “we only allow foreign nationals to perform maintenance under defined conditions, and we can prove each instance followed those conditions.” 4

Plain-English interpretation (what MA-5(4) requires)

MA-5(4) expects you to:

  • Identify when maintenance work is performed by foreign nationals (employees or third-party personnel).
  • Require explicit approval before such access occurs.
  • Limit what systems, components, and data they can access during maintenance.
  • Monitor and record the maintenance activity so you can reconstruct what happened.
  • Make it repeatable: the process must work during routine changes and urgent break/fix events. 2

You are not trying to “ban foreign nationals.” You are trying to prevent unreviewed, uncontrolled, or unobservable privileged maintenance that creates data exposure, configuration tampering risk, or supply chain risk.

Who it applies to (entities and operational context)

Entities

  • Federal information systems.
  • Contractors operating systems that handle federal data (for example, cloud service providers, managed service providers, SaaS vendors, and integrators in a federal boundary). 1

Operational scenarios that commonly trigger MA-5(4)

  • Third-party break/fix support (hardware, hypervisor, network, database, HSMs).
  • Managed services (monitoring agents, patching teams, SRE/operations support).
  • OEM support channels (remote diagnostics, firmware updates).
  • On-site field service and data center work where you do not directly employ the technician.

Systems and assets

  • Any environment where maintenance implies elevated access, console access, diagnostics, backups, or configuration changes.
  • Maintenance tooling that can reach production (jump hosts, remote support tools, EDR consoles, RMM platforms).

What you actually need to do (step-by-step)

Step 1: Define “foreign national” for your program and map ownership

  1. Assign a control owner (often IT/security operations for execution; GRC for governance).
  2. Define how you will determine personnel status for maintenance engagements (for example, onboarding attestation via the third party, HR documentation for employees, and subcontractor disclosure requirements).
  3. Document scope: which systems and maintenance activities fall under the gate (default to “any privileged maintenance or physical access”). 2

Execution tip: Don’t let “foreign national determination” become an ad hoc email. Create a structured field in your maintenance request workflow that requires completion before approval.

Step 2: Build a gated maintenance authorization workflow

Create a workflow that must be satisfied before access is granted:

  1. Maintenance request created (ticket/change record): business justification, systems in scope, time window, and required privileges.
  2. Personnel identified: names, employer, subcontractor chain, and confirmation of foreign national status per your defined process.
  3. Risk-based approval: security approval for any foreign national maintenance; system owner approval for scope and outage risk.
  4. Access path selection: enforce approved access methods (no “direct VPN to prod” exceptions).
  5. Pre-maintenance checklist: logging enabled, session recording enabled where possible, break-glass process defined for emergencies. 2

Where Daydream fits: Daydream can track MA-5(4) ownership, document the procedure, and schedule recurring evidence collection so the workflow produces consistent artifacts instead of one-off screenshots.

Step 3: Enforce least privilege and segregation for maintenance sessions

For authorized maintenance by foreign nationals:

  • Grant time-bound access to the minimum required systems.
  • Use separate maintenance accounts with strong authentication and explicit approval linkage.
  • Route activity through controlled choke points (jump host/bastion, PAM broker, or controlled remote support tool).
  • Block data exfiltration paths where feasible (clipboard/file transfer controls in remote tools, restricted outbound routes from maintenance enclaves).
  • Revoke access promptly after the maintenance window.

Minimum viable control set (auditor-friendly):

  • A named request/approval record.
  • A defined access method.
  • Logged authentication and activity.
  • Evidence of timely access removal. 2

Step 4: Supervise, monitor, and record the maintenance

Your monitoring standard should match the risk of the maintenance:

  • Record administrative actions through logs (system logs, IAM logs, remote access logs).
  • Prefer session recording for interactive privileged sessions where feasible.
  • Require an internal escort for sensitive tasks (live supervision, screen sharing, or step-by-step execution by an internal admin while the third party advises). 2

Step 5: Closeout, review, and feed lessons learned back into the process

  1. Close ticket with what changed, by whom, when, and confirmation that access was revoked.
  2. Attach evidence (logs references, session IDs, approvals).
  3. Review exceptions and near-misses (for example, access requested outside the window).
  4. Update runbooks and contracts if gaps recur.

Required evidence and artifacts to retain

Keep artifacts that prove the control operated for each relevant maintenance event:

Governance artifacts

  • MA-5(4) procedure/runbook: authorization steps, access methods, monitoring requirements, and exception handling. 2
  • RACI: who approves, who grants access, who monitors, who reviews.

Per-event artifacts (sample evidence checklist)

  • Maintenance ticket/change record with scope and approvals.
  • Personnel list for the event, including third-party company and subcontractor disclosure where applicable.
  • Access grant evidence: PAM request record, IAM role assignment log, or VPN access approval.
  • Monitoring evidence: session recording link/ID (if used), relevant log excerpts, and alert review notes.
  • Access removal evidence: role removal logs, account disablement, or expiration confirmation.
  • Post-maintenance validation: confirmation of system health and configuration integrity (as applicable).

Third-party artifacts

  • Contract clauses or SOW language requiring disclosure of foreign national involvement for maintenance and agreement to your access and monitoring terms.
  • Third-party attestations for assigned personnel where your process requires it.

Common exam/audit questions and hangups

Auditors and assessors tend to focus on operational proof:

  1. “Show me a maintenance event where a foreign national performed work. Where is the approval?”

    • Expect to produce a specific ticket with named approvers and timestamps.

  2. “How do you know the person was a foreign national?”

    • Have a defined method (attestation, supplier record, HR status) and show it was completed for the event.

  3. “Was access limited to only what was approved?”

    • Provide the access grant record (role, system, time window) and supporting logs.

  4. “How do you prevent off-path access?”

    • Demonstrate the approved access architecture (bastion/PAM) and technical controls that block alternate routes.

  5. “What happens during an outage?”

    • Show your emergency process: who can approve, how you record after-the-fact, and how you revoke access. 2

Frequent implementation mistakes (and how to avoid them)

Mistake Why it fails Fix
Policy says “foreign national maintenance requires approval,” but no workflow exists No repeatability; evidence gaps Put a required field and approval step in the ticketing system; block access grants without it
Treating “foreign national” as only on-site technicians Remote support often has deeper access Apply the gate to remote privileged maintenance too
Approvals exist, but access is granted via shared admin accounts No accountability; hard to investigate Use named accounts and PAM/session control
Logging exists, but nobody can retrieve it tied to a specific ticket Evidence can’t be produced quickly Require logging references/session IDs in ticket closeout
Subcontractors are invisible Supply chain blind spot Add SOW language requiring subcontractor disclosure and flow-down of access terms

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this control enhancement, so you should treat MA-5(4) primarily as an assessment and assurance requirement under NIST SP 800-53. 1

Operationally, failures tend to show up as:

  • Unmonitored privileged access by third parties.
  • Untracked remote support channels.
  • Inability to reconstruct changes after an incident.
  • Supply chain exposure when subcontractors access systems outside approved terms.

The risk is not theoretical. Maintenance paths are high-trust by design. If you cannot prove who accessed what during maintenance, you will struggle to defend incident response findings, demonstrate control effectiveness, or pass assessments tied to federal system security requirements. 2

Practical execution plan (30/60/90-day)

First 30 days (stand up the gate)

  • Name the MA-5(4) control owner and approver group.
  • Draft the MA-5(4) maintenance-by-foreign-nationals procedure (one to two pages, checklists, not essays). 2
  • Add required fields to maintenance tickets: personnel identity, third party, subcontractor, and foreign national status method.
  • Define approved access paths for maintenance (bastion/PAM/remote tool) and block ad hoc methods where feasible.

Days 31–60 (make it work in production)

  • Pilot the workflow with one or two high-volume maintenance third parties (MSP, cloud ops partner, OEM).
  • Implement session monitoring expectations: at minimum, collect authentication and admin activity logs and tie them to the ticket.
  • Update SOW templates: disclosure of foreign national personnel for maintenance, adherence to your access methods, and cooperation with monitoring and record retention.
  • Train operations teams on “no ticket, no access” enforcement for maintenance windows.

Days 61–90 (tighten evidence and assessment readiness)

  • Run an internal mini-assessment: sample maintenance events and verify you can produce the full evidence package quickly.
  • Add exception reporting: any maintenance access without a linked ticket gets investigated and remediated.
  • Create recurring evidence tasks in Daydream (or your GRC system): quarterly sampling, artifact checks, and third-party contract verification. 1
  • Expand scope to additional teams (network, database, endpoint engineering) and third parties.

Frequently Asked Questions

Does MA-5(4) require us to prohibit foreign nationals from performing maintenance?

The requirement is about controlled and authorized maintenance, not a blanket prohibition. Your implementation should focus on explicit approval, restricted access, and monitoring for any maintenance performed by foreign nationals. 2

How do we handle emergency outages where waiting for approvals is unrealistic?

Define an emergency approval path with designated approvers and after-the-fact documentation requirements. The key is that the event still produces a ticket, access records, and monitoring evidence. 2

Our third party won’t share nationality information. What can we do?

Put the requirement into the contract/SOW as a condition for privileged maintenance access, including subcontractor disclosure. If they cannot provide it, treat the engagement as higher risk and require tighter supervision and access limitations under your policy. 2

Does this apply to cloud providers and SaaS vendors where we don’t control their staff?

It applies to your system’s maintenance controls and the third-party relationships that support system operation. For services where you cannot control staffing directly, focus on contractual terms, approved support channels, and evidence that support access is governed and logged as agreed. 2

What evidence do auditors usually accept as proof of “controlled maintenance”?

A complete packet typically includes the maintenance ticket with approvals, access grant/removal logs, and monitoring artifacts tied to the maintenance window. Auditors care most about traceability from approval to access to recorded activity. 2

Can we satisfy MA-5(4) with a policy and annual training only?

No. Training supports awareness, but the requirement is operational. You need executed tickets, enforced access paths, and logs or session records that show the control worked in real maintenance events. 2

Footnotes

  1. NIST SP 800-53 Rev. 5 OSCAL JSON

  2. NIST SP 800-53 Rev. 5

  3. NIST SP 800-53 Rev. 5; Source: NIST SP 800-53 Rev. 5 OSCAL JSON

  4. NIST SP 800-53 Rev. 5 OSCAL JSON; Source: NIST SP 800-53 Rev. 5

Frequently Asked Questions

Does MA-5(4) require us to prohibit foreign nationals from performing maintenance?

The requirement is about controlled and authorized maintenance, not a blanket prohibition. Your implementation should focus on explicit approval, restricted access, and monitoring for any maintenance performed by foreign nationals. (Source: NIST SP 800-53 Rev. 5)

How do we handle emergency outages where waiting for approvals is unrealistic?

Define an emergency approval path with designated approvers and after-the-fact documentation requirements. The key is that the event still produces a ticket, access records, and monitoring evidence. (Source: NIST SP 800-53 Rev. 5)

Our third party won’t share nationality information. What can we do?

Put the requirement into the contract/SOW as a condition for privileged maintenance access, including subcontractor disclosure. If they cannot provide it, treat the engagement as higher risk and require tighter supervision and access limitations under your policy. (Source: NIST SP 800-53 Rev. 5)

Does this apply to cloud providers and SaaS vendors where we don’t control their staff?

It applies to your system’s maintenance controls and the third-party relationships that support system operation. For services where you cannot control staffing directly, focus on contractual terms, approved support channels, and evidence that support access is governed and logged as agreed. (Source: NIST SP 800-53 Rev. 5)

What evidence do auditors usually accept as proof of “controlled maintenance”?

A complete packet typically includes the maintenance ticket with approvals, access grant/removal logs, and monitoring artifacts tied to the maintenance window. Auditors care most about traceability from approval to access to recorded activity. (Source: NIST SP 800-53 Rev. 5)

Can we satisfy MA-5(4) with a policy and annual training only?

No. Training supports awareness, but the requirement is operational. You need executed tickets, enforced access paths, and logs or session records that show the control worked in real maintenance events. (Source: NIST SP 800-53 Rev. 5)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream