MA-5(5): Non-system Maintenance

10 min readLast verified: February 2026By

MA-5(5): non-system maintenance requirement means you must confirm that any non-escorted person doing “nearby” maintenance work (not on the system itself) has the access authorization required for that physical proximity. Operationalize it by defining “physical proximity zones,” tying each zone to authorization criteria, and enforcing badge/visitor controls with auditable logs. 1

Key takeaways:

  • Treat “nearby maintenance” as a physical access authorization problem, not an IT maintenance ticketing problem. 1
  • If personnel are non-escorted, they must meet the required authorization level for the space they can access. 1
  • Your pass/fail evidence is simple: authorization checks plus visitor/badge records mapped to maintenance events near system areas. 2

MA-5(5): non-system maintenance requirement is a narrow control enhancement with a predictable audit failure mode: facilities or third parties can enter sensitive spaces under a “maintenance” pretext without the same authorization rigor you apply to system administrators. This control closes that gap by focusing on maintenance activities that are not directly associated with the system (for example, HVAC, fire suppression, power work, building telecom, cleaning, construction) but occur close enough to create risk to confidentiality, integrity, or availability.

For a CCO, GRC lead, or Compliance Officer, the fastest way to implement MA-5(5) is to stop debating intent and define operational boundaries. You need a written definition of “physical proximity of the system,” an authorization standard for each relevant space, and a repeatable process that prevents non-escorted work unless the worker has the required access authorization. 1

This page gives requirement-level guidance you can hand to facilities, physical security, data center ops, and third-party management without rewriting it into theory. It also tells you what evidence to retain so an assessor can confirm the control is designed and operating.

Regulatory text

Requirement (verbatim): “Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.” 1

What the operator must do:
You must prevent “walk-up access” to areas near a system by people doing adjacent maintenance work unless they have the authorization required for that space. The key terms are operational:

  • Non-escorted personnel: people allowed to work without continuous escort/supervision by your authorized staff.
  • Maintenance activities not directly associated with the system: work on the environment around the system (facilities, utilities, building services), not maintenance on the system’s components.
  • Physical proximity of the system: spaces where a person could physically affect the system or its supporting infrastructure, access sensitive interfaces, or disrupt operations.
  • Required access authorizations: the level of access approval you designate for the space (badge level, background screening, contract approval, facility access list, or equivalent).

Your job is to define “required” in a way you can enforce consistently, then show it happened for real work orders and visits. 2

Plain-English interpretation

If you let someone work near systems without an escort, they must already be authorized to be there. “They’re just fixing air conditioning” does not bypass access rules if the work takes place in, or adjacent to, rooms where systems or supporting infrastructure are exposed.

This is a physical-security-to-cybersecurity bridge control. You are controlling an attacker path that bypasses logical controls: proximity enables tampering, unplugging, installing rogue devices, viewing console screens, removing media, or causing outages.

Who it applies to (entity and operational context)

Entities:

  • Federal information systems and organizations implementing NIST SP 800-53 controls. 2
  • Contractors and service providers handling federal data (common in FedRAMP, agency ATO, and flow-down environments). 2

Operational contexts where MA-5(5) shows up in audits:

  • Data centers, IDFs/MDFs, network closets, server rooms, comms rooms
  • Tenant spaces with shared risers, shared utility corridors, or shared building management systems
  • Colocation facilities where third-party technicians perform “remote hands”
  • Office spaces with lab gear, test racks, or regulated enclaves
  • Facilities work that brings non-IT trades near systems (electricians, HVAC, fire/life safety, cleaning crews, construction)

What you actually need to do (step-by-step)

1) Define “physical proximity” in facility terms

Create a short, testable definition that facilities and security can apply without interpretation battles. Use zones tied to doors and access control points.

Example zone model (edit to fit your site):

  • Zone A (System rooms): server rooms, network rooms, security rooms.
  • Zone B (Adjacent infrastructure): UPS/battery rooms, generator controls, HVAC controls serving Zone A, telecom demarc, cable trays in secured corridors.
  • Zone C (General facility): offices, common hallways, non-sensitive maintenance spaces.

Your definition should specify which zones are “physical proximity of the system” for MA-5(5) purposes (commonly Zones A and B). Keep it aligned to how badges and doors work in reality.

Artifact: “Physical Proximity Zones for Covered Systems” standard with a simple map/list of doors.

2) Set “required access authorizations” per zone

Write a matrix that answers: If someone is non-escorted in Zone A/B, what approvals must be on file?

Typical authorization elements (choose what you can actually verify):

  • Identity proofing + badge issuance
  • Employment/third-party relationship validation
  • Background screening level (if your program uses it)
  • Need-to-access approval (system owner/facility owner)
  • Training acknowledgement for secure areas (optional but helpful)

Artifact: “Access Authorization Matrix for Non-Escorted Non-System Maintenance.”

3) Decide your allowed models: escort vs. authorization

MA-5(5) is specifically about non-escorted personnel. Operationally, you need a rule that defaults to one of these:

  • Model 1 (Preferred for high-risk areas): No authorization, no unescorted access. Visitors must be escorted in Zone A/B.
  • Model 2: Pre-authorized third parties may work unescorted in Zone B (or limited Zone A) if they meet your authorization criteria.

Write the rule so the guard desk and facilities scheduler can enforce it without calling the CISO.

Artifact: Physical access/visitor policy section titled “Non-Escorted Maintenance in System Proximity Areas.”

4) Implement a gate in the work intake process

Add one mandatory check to your facilities/work order process:

“Will the work occur in a system proximity zone?”

  • If No: normal process.
  • If Yes: require either (a) named authorized personnel list, or (b) escort plan with named escorts and timing.

This can be done in a ticketing system, a facilities request form, or a change calendar, but it must create an auditable record.

Artifact: Work order template fields + sample completed tickets.

5) Enforce at the door (badge/visitor operations)

Align guard desk and badge admins to the zone/authorization matrix:

  • Non-escorted access in Zone A/B only for individuals with the required authorization on file.
  • Visitor badges must be time-bounded and zone-bounded where your badge system supports it.
  • If someone shows up not on the authorized list, the only allowed path is escort (if permitted) or reschedule.

Artifact: Visitor logs, badge access reports (door events), and approved access lists.

6) Add third-party due diligence hooks (where applicable)

If a third party will be allowed non-escorted near systems, ensure your third-party onboarding process captures:

  • Who is requesting the access and why
  • Evidence of meeting your authorization criteria (as defined internally)
  • Contractual language or site rules acknowledgement for facility access (as used in your program)

This is where Daydream fits naturally: map MA-5(5) to a control owner, implementation procedure, and recurring evidence artifacts so you can request the same package from facilities and third-party teams every assessment cycle without starting over. 1

7) Test the control with a lightweight operating effectiveness check

Pick recent maintenance events in proximity zones and verify:

  • The individuals were either escorted (if your policy allows escort as an alternative) or had the required authorization for non-escorted presence, per your matrix.
  • Logs match reality: ticket lists names, visitor system issued badges, doors show access.

Artifact: Quarterly (or periodic) control test worksheet with sampled events and results.

Required evidence and artifacts to retain

Keep evidence that answers two assessor questions: (1) What is the rule? (2) Did you follow it?

Policy and design evidence

  • Physical proximity zone definition (doors/rooms list, maps)
  • Access authorization matrix for non-escorted maintenance
  • Procedure for facilities/security intake and approval

Operational evidence

  • Work orders/tickets for maintenance near systems showing authorization check and named personnel
  • Visitor management records (sign-in/out, badge assignment, escort assignment if used)
  • Badge access control logs for relevant doors (or an access report)
  • Approved access lists (who is authorized for unescorted access in proximity zones) with approval records

Governance evidence

  • Control ownership and RACI (facilities, physical security, system owner, third-party management)
  • Periodic review records (who reviewed authorized lists; dated approvals)

Common exam/audit questions and hangups

  1. “Define physical proximity.” Auditors want a boundary tied to physical controls (doors), not a vague statement.
  2. “Show me non-escorted maintenance events and how you validated authorization.” Expect sampling of real work orders.
  3. “What counts as authorization?” If you say “approved,” you must show the approving role and the record.
  4. “Do cleaning crews count?” If they are non-escorted and enter proximity zones, yes under your definition.
  5. “How do you handle emergencies?” You need an emergency access path that still documents who entered and why, plus after-action review.

Frequent implementation mistakes and how to avoid them

Mistake Why it fails Fix that works
Treating MA-5(5) as an IT maintenance control The requirement is about people near systems doing non-system work 1 Put ownership with physical security/facilities, with GRC oversight
“Proximity” defined as “near the data center” Not testable; assessors cannot sample consistently Define zones by specific rooms/doors and publish the list
Relying on escorting in practice, but not documenting it You cannot prove the worker was escorted Record escort name in visitor log or ticket field
Authorized list exists but is stale Offboarding gaps become unescorted access Add periodic review and remove access on termination/contract end
Work orders don’t capture personnel names You can’t tie authorization to an individual Require named personnel for proximity-zone work before scheduling

Enforcement context and risk implications

No public enforcement cases were provided in the source material for this requirement, so you should treat MA-5(5) as an assessment-driven control expectation rather than a standalone enforcement trigger in this write-up.

Risk-wise, MA-5(5) reduces exposure to:

  • Physical tampering and theft of system components
  • Introduction of rogue devices in proximity areas
  • Unplanned outages from uncoordinated facilities work near critical infrastructure

For most programs, the practical risk is also assessment failure: if you cannot show authorization checks for unescorted proximity work, assessors will mark the control as not implemented or not effective based on missing evidence. 2

Practical 30/60/90-day execution plan

First 30 days (Immediate)

  • Assign a single control owner and cross-functional operators (facilities + physical security + system owner + GRC).
  • Draft proximity zone definition and validate it by walking the site (or reviewing floor plans and badge door lists).
  • Publish an authorization matrix and the default rule for non-escorted access in those zones.
  • Update work order intake: add the “proximity zone?” gate and require named personnel.

Day 31–60 (Near-term)

  • Implement guard desk and badge office procedures: check authorized lists before issuing non-escorted access.
  • Build the initial authorized personnel list for any third parties who need non-escorted access, or enforce escort-only.
  • Start retaining evidence systematically: pick a consistent folder structure and naming standard tied to work order IDs.

Day 61–90 (Operationalize)

  • Run an internal test using recent proximity-zone maintenance events; document gaps and remediation.
  • Add a recurring review cadence for authorized lists and for a small sample of maintenance events.
  • In Daydream, map MA-5(5) to the control owner, the written procedure, and the recurring evidence artifacts so the collection is repeatable for the next assessment cycle. 1

Frequently Asked Questions

Does MA-5(5) require escorting all maintenance workers near systems?

No. It requires that if personnel are non-escorted in physical proximity of the system, they have the required access authorizations. 1 Escorting is a common way to avoid granting non-escorted access, but your policy must be explicit.

What counts as “maintenance activities not directly associated with the system”?

Think facilities and building services work that occurs near the system: HVAC, electrical, fire/life safety, cabling infrastructure, or construction in adjacent spaces. The trigger is proximity to the system, not whether the ticket is opened by IT. 1

How do we prove “required access authorizations” to an auditor?

Keep an authorization matrix (what is required by zone) and show records that the individual met it before being non-escorted. Pair that with visitor/badge logs and the work order showing the job occurred in a proximity zone. 2

We’re in a colocation facility. The colo staff are third parties; how does MA-5(5) apply?

If colo personnel can be unescorted in areas you define as physical proximity of your covered system, your program should require evidence of their authorization level consistent with your matrix. If you cannot get that assurance, enforce escort-only access for such work under your site rules.

What if emergency repairs happen after hours and the “authorized” person isn’t available?

Write an emergency exception process that still captures identity, time, location, purpose, and who approved entry. Then do an after-action review and decide whether to add the worker to the authorized list or keep them escort-only going forward.

Can we satisfy MA-5(5) with a policy statement alone?

A policy is necessary but not sufficient. Assessors will also look for operating evidence: work orders, authorization checks, and physical access records that show non-escorted personnel near systems were authorized under your rules. 1

Footnotes

  1. NIST SP 800-53 Rev. 5 OSCAL JSON

  2. NIST SP 800-53 Rev. 5

Frequently Asked Questions

Does MA-5(5) require escorting all maintenance workers near systems?

No. It requires that if personnel are non-escorted in physical proximity of the system, they have the required access authorizations. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON) Escorting is a common way to avoid granting non-escorted access, but your policy must be explicit.

What counts as “maintenance activities not directly associated with the system”?

Think facilities and building services work that occurs near the system: HVAC, electrical, fire/life safety, cabling infrastructure, or construction in adjacent spaces. The trigger is proximity to the system, not whether the ticket is opened by IT. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

How do we prove “required access authorizations” to an auditor?

Keep an authorization matrix (what is required by zone) and show records that the individual met it before being non-escorted. Pair that with visitor/badge logs and the work order showing the job occurred in a proximity zone. (Source: NIST SP 800-53 Rev. 5)

We’re in a colocation facility. The colo staff are third parties; how does MA-5(5) apply?

If colo personnel can be unescorted in areas you define as physical proximity of your covered system, your program should require evidence of their authorization level consistent with your matrix. If you cannot get that assurance, enforce escort-only access for such work under your site rules.

What if emergency repairs happen after hours and the “authorized” person isn’t available?

Write an emergency exception process that still captures identity, time, location, purpose, and who approved entry. Then do an after-action review and decide whether to add the worker to the authorized list or keep them escort-only going forward.

Can we satisfy MA-5(5) with a policy statement alone?

A policy is necessary but not sufficient. Assessors will also look for operating evidence: work orders, authorization checks, and physical access records that show non-escorted personnel near systems were authorized under your rules. (Source: NIST SP 800-53 Rev. 5 OSCAL JSON)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream