3.7.6 — Escort Uncleared Techs
What It Says
Section titled “What It Says”Supervise the maintenance activities of maintenance personnel without required access authorization.
What It Actually Means
Section titled “What It Actually Means”If a maintenance technician — vendor, contractor, or temporary worker — doesn’t have the required access authorization for your CUI environment, they must be supervised for the entire duration of their work. No dropping them in the server room and walking away.
This means: an authorized employee accompanies them at all times, monitors their activities, and documents what was done. For logical access, provide temporary accounts with minimum necessary permissions and short expiration times rather than standing accounts.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Are unauthorized maintenance personnel supervised during activities? | Escort policy enforced; logs showing who escorted whom, when, and what work was performed |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: Maintenance policy; escort procedures; maintenance records showing escort details; temporary account records; visitor logs; system security plan
People they’ll talk to: Maintenance personnel; information security personnel; anyone who has served as an escort
Live demos they’ll ask for: “Show me your escort procedure for vendor technicians.” “Show me a record of a recent vendor visit.” “How do you handle temporary system access for vendors?”
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”- “How do you supervise unauthorized maintenance personnel? Show me the procedure.”
- “Show me records from a recent vendor maintenance visit — who escorted, what was done.”
- “Do you create temporary accounts for vendor access? How quickly are they disabled?”
- “Has a vendor ever been left unsupervised? How would you prevent that?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”Unescorted vendors. Vendor left alone in the server room while the escort “steps out for a call.” If the escort must leave, the vendor leaves too.
No documentation. Vendor visited, work was done, but there’s no record of who escorted or what was done. Log every detail.
Standing vendor accounts. A permanent account was created for the vendor “for convenience” and never disabled. Use temporary, time-limited accounts every time.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.7.2 — Control Maintenance Tools | Personnel controls are part of the broader maintenance tool control |
| 3.10.3 — Escort Every Visitor | Visitor escort policy applies to maintenance personnel in CUI areas |
| 3.7.5 — MFA for Remote Maintenance | Remote vendor access requires MFA and monitoring |
Implementation
Section titled “Implementation”Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.
Start a conversation →CMMC Practice ID: MA.L2-3.7.6 | SPRS Weight: 1 point | POA&M Eligible: Yes