>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

MA-5Maintenance Personnel

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;

b

Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and

c

Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel--such as information technology manufacturers, vendors, systems integrators, and consultants--may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice.

Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

>Programmatic Queries

Beta

Related Services

AWS IAM
AWS IAM Identity Center
AWS CloudTrail

CLI Commands

List IAM roles for maintenance personnel
aws iam list-roles --query 'Roles[?contains(RoleName,`maintenance`) || contains(RoleName,`break-glass`)]'
Check CloudTrail for maintenance role usage
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole --max-results 20
Get IAM role trust policy (who can assume)
aws iam get-role --role-name MAINTENANCE_ROLE_NAME --query 'Role.AssumeRolePolicyDocument'
List access keys for maintenance users
aws iam list-access-keys --user-name MAINTENANCE_USER
Open AWS ConsoleDocumentation

>Related Controls

AC-2
AC-3
AC-5
AC-6
IA-2
IA-8
MA-4
MP-2
PE-2
PE-3
PS-7
RA-3

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of MA-5 (Maintenance Personnel)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring MA-5?
  • How frequently is the MA-5 policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures MA-5 requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce MA-5 requirements.
  • What automated tools, systems, or technologies are deployed to implement MA-5?
  • How is MA-5 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce MA-5 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of MA-5?
  • What audit logs, records, reports, or monitoring data validate MA-5 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of MA-5 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate MA-5 compliance?

Ask AI

Configure your API key to use AI features.