MA-5 Maintenance Personnel

Description

This Control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel).

Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems.

Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

Applicability

The owner of an information resource, or designee, is responsible for implementing this Control.

Implementation

TAMU-CC allows only authorized personnel to perform maintenance on the information system, owners shall:

1. Establish a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
2. Ensure that non-escorted personnel performing maintenance on the information system have required access authorizations; and
3. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

Revision History

Last Updated: February 21, 2025

Previous Versions:

• June 29, 2023
• May 31, 2022
• March 25, 2021
• September 16, 2019