3.7 MA
639 paragraphs across nine sections. Here is the structure and the decisions that carry the most operational weight.
Document structure
The six MA controls split into three functional groups and the document is organised accordingly. Group A (3.7.1 and 3.7.2) establishes the authorised maintenance framework — the schedule, the maintenance personnel register, and the controls on tools and techniques. Group B (3.7.3 and 3.7.4) covers the handling of equipment and media before, during, and after maintenance — the off-site sanitisation requirement and the diagnostic media malware scan. Group C (3.7.5 and 3.7.6) covers the two access control obligations — MFA for remote sessions and continuous supervision of uncleared vendor personnel.
Section 3 (maintenance log standard) gives the 16-field mandatory template for EV-D21. The template is colour-coded in the document: green for mandatory, amber for mandatory-in-context (mandatory if a vendor is involved, mandatory if equipment is removed). This distinguishes between fields that must be completed for every maintenance event and fields that only apply in specific scenarios.
Section 4 (remote maintenance configuration guide) is a three-column comparison table covering PAM-mediated access, jump host access, and explicitly prohibited configurations. This structure prevents ambiguity — instead of describing the PAM path and leaving engineers to infer what is prohibited, the table names the prohibited configurations directly. Vendor-controlled remote support tools, static passwords, and persistent vendor accounts appear explicitly in the "Prohibited" column.
Section 5 (diagnostic media scanning procedure) is a seven-step numbered procedure rather than an implementation description. It is designed to be followed during a live maintenance event, not read as background material. Every step specifies who performs it and what evidence it generates. Step 3 has an explicit instruction that is easy to miss under time pressure: "Do not connect to any CUI-scope system." The entire value of the scanning workstation depends on it remaining physically separate from CUI-scope systems.
The diagnostic media control — why it matters in 2024
The 3.7.4 implementation description opens with a warning that vendor-supplied diagnostic media has been used as a supply chain attack vector in documented real-world incidents. This is not theoretical. The TRITON/TRISIS attack on industrial control systems involved a sophisticated attacker who compromised vendor engineering tools. The Kaseya VSA supply chain attack reached managed service providers through their remote management tool. The SolarWinds compromise poisoned an update mechanism used by thousands of organisations.
For NIST 800-171, the specific risk is a vendor engineer arriving on-site with a USB drive containing a firmware update utility that has been tampered with — either by the attacker compromising the vendor's software build process, or by the attacker having physical access to the vendor engineer's equipment. The 3.7.4 scan is not a comprehensive defence against sophisticated supply chain attacks (a sufficiently patient attacker can evade signature-based AV detection), but it is the required baseline and it catches the vast majority of commodity threats delivered via maintenance media.
The firmware download alternative noted in the 3.7.4 implementation is the more secure approach: rather than accepting media from the vendor engineer, download the firmware directly from the vendor's official website to an organisation-controlled machine and verify the hash against the vendor-published SHA-256. This eliminates the physical media handoff entirely. Where technically possible, this is the preferred method.
The vendor supervision question — "what if the engineer needs the bathroom"
The assessor interview question in Section 7 for 3.7.6 is deliberately specific: "If a vendor engineer needed to use the bathroom during a maintenance session in the server room, what would happen?" This question, or a variant of it, is asked in DEFSTAN and CMMC assessments because it exposes whether the supervision requirement is genuinely understood or merely documented.
The correct answer is: the vendor engineer stops work, leaves all tools and equipment in the server room, and is escorted to the nearest bathroom by the supervisor. The supervisor accompanies them and returns with them. The maintenance session resumes. No period of unaccompanied access occurs.
Common finding five in Section 8 documents an assessor finding where a supervisor admitted to leaving for approximately 20 minutes. The maintenance log showed supervision throughout — the log was retrospectively completed, not contemporaneous. This is why the supervision confirmation in EV-D24 must be a contemporaneous record, not a retrospective attestation. The log entry should note any breaks in supervision explicitly (even if the answer is "none").
The three evidence items that most commonly appear incomplete
EV-D21 (maintenance log) is frequently missing for reactive or emergency maintenance — the emergency was resolved, it got recorded as an IT helpdesk ticket, but no formal maintenance log entry was created. Add maintenance log creation to the emergency change closure checklist in AT-CM to close this gap.
EV-D32M (diagnostic media scan log) is absent when no vendor maintenance has occurred in the past 12 months, which leads assessors to ask whether the procedure has ever been tested. If there are no vendor maintenance events in the assessment period, document this explicitly in the SSP ("no vendor maintenance requiring diagnostic media was conducted in the assessment period") rather than leaving a gap that requires explanation under pressure.
EV-D05 (MFA coverage report) typically omits vendor maintenance accounts from its scope because the standard MFA coverage report looks at organisational Entra ID accounts, not vendor PAM accounts. Update the quarterly MFA coverage procedure to explicitly include a check on all PAM vendor accounts — confirming each has MFA enrolled and is not configured with static password-only authentication.
Cross-linking in Confluence
The AT-MA page connects to six other family pages. Link to AT-AC (the PAM platform that mediates vendor remote maintenance sessions is the same PAM platform documented in 3.1.5 and 3.1.15 — vendor account checkout from PAM satisfies both the MA remote maintenance requirement and the AC least privilege requirement for privileged remote commands). Link to AT-IA (the MFA requirement for vendor maintenance accounts in 3.7.5 uses the same TOTP-minimum, FIDO2-preferred standard as 3.5.3 — vendor accounts are in scope for the quarterly MFA coverage report EV-D05). Link to AT-MP (the equipment sanitisation procedure in 3.7.3 uses the exact sanitisation methods documented in AT-MP Section 3 — the media type determines the acceptable sanitisation method, and the AT-MP sanitisation procedures are the reference). Link to AT-PE (vendor maintenance engineers are visitors under the AT-PE visitor management procedure — the EV-D24 visitor log and the supervision requirement in 3.7.6 are served by the same physical visitor record used for AT-PE 3.10.3). Link to AT-CM (maintenance on CUI-scope systems must go through the change management procedure — scheduled maintenance is a standard change, emergency maintenance uses the emergency RFC process; the maintenance log EV-D21 and the change management record EV-D21 are the same ITSM record). And link to AT-SI (3.7.4 — scanning diagnostic media for malicious code — uses the AV/EDR platform documented in AT-SI 3.14.2; the scanning workstation runs the same AV product as production endpoints).
Updated library status
Twelve of the fourteen family pages are now complete:
| Page | Controls | Status |
|---|---|---|
| AT-AC · Access Control | 22 | Complete |
| AT-AT · Awareness and Training | 3 | Complete |
| AT-AU · Audit and Accountability | 9 | Complete |
| AT-CM · Configuration Management | 9 | Complete |
| AT-IA · Identification and Authentication | 11 | Complete |
| AT-IR · Incident Response | 3 | Complete |
| AT-MA · Maintenance | 6 | Complete |
| AT-MP · Media Protection | 9 | Complete |
| AT-PE · Physical Protection | 6 | Complete |
| AT-SC · System and Comms Protection | 16 | Complete |
| AT-SI · System and Info Integrity | 7 | Complete |
Two families remain: AT-PS (Personnel Security, 2 controls — background screening standards and leaver de-provisioning obligations) and AT-RA (Risk Assessment, 3 controls — risk assessment methodology, vulnerability scanning programme, and remediation tracking). These two families plus AT-CA (Security Assessment — the SSP master document, POA&M process, and continuous monitoring programme) complete the NIST 800-171 family library.