This requirement applies to individuals who are performing hardware or software maintenance on organizational systems, while 3.10.1 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, consultants, and systems integrators, may require privileged access to organizational systems, for example, when required to conduct maintenance activities with little or no notice. Organizations may choose to issue temporary credentials to these individuals based on organizational risk assessments. Temporary credentials may be for one-time use or for very limited time periods.

Benefits:

Reduced Risk: By closely monitoring maintenance personnel, organizations significantly reduce the risk of unauthorized access, data modification, or system manipulation.

Enhanced Accountability: Supervision ensures a clear chain of responsibility, making it easier to identify and address any issues that arise during maintenance.
Improved Training: The supervision process can be leveraged to provide additional security awareness and training to maintenance personnel, further strengthening the organization's security posture.

Early Detection: Having a supervisor present increases the likelihood of suspicious activity being identified and addressed promptly, potentially preventing security incidents.

Accountability:

Senior Management: Defining policy: Establish and enforce clear policies outlining who requires supervision during maintenance and the specific procedures involved. Resource allocation: Allocate sufficient resources, including personnel training and appropriate tools, to ensure effective supervision. Oversight: Regularly review and assess the effectiveness of supervision practices and address any identified gaps.

IT Security Team: Develop procedures: Design and implement detailed procedures for supervising maintenance activities, outlining roles, responsibilities, and communication protocols. Conduct training: Educate personnel on the supervision process, including recognizing potential risks and appropriate escalation procedures. Monitor activities: Monitor and document maintenance activities to ensure adherence to established procedures and identify any deviations.

---

System Owners: Identify critical systems: Identify systems containing Controlled Unclassified Information (CUI) or other sensitive data requiring stricter supervision during maintenance. Risk assessment: Conduct risk assessments to determine the level of supervision needed for each system and associated maintenance activities. Coordinate with IT security: Collaborate with the IT security team to develop and implement effective supervision plans for their systems.

Individual Users: Report suspicious activity: Report any observed suspicious activity during maintenance to authorized personnel immediately. Maintain awareness: Stay informed about security policies and procedures related to maintenance activities. Secure access credentials: Safeguard their access credentials and report any potential compromises promptly.

Implementation:

Authorization Process: Establish a formal process for authorizing maintenance personnel, ensuring only qualified individuals with legitimate needs gain access.

Training: Provide security awareness training to both authorized personnel and supervisors, covering security protocols and potential red flags during maintenance.

Access Control: Implement access control mechanisms like temporary accounts with limited privileges to restrict access to the minimum necessary for maintenance tasks.

Monitoring and Logging: Monitor and log all maintenance activities, including user activity, access attempts, and system changes, for audit and accountability purposes.

Regular Reviews: Conduct periodic reviews of maintenance procedures and access controls to ensure their effectiveness and adapt to evolving security threats.