Security Requirements for 03.07.06 Maintenance Personnel

Maintenance personnel refers to individuals who perform hardware or software maintenance on the system, while 03.10.01 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the system. The technical competence of supervising individuals relates to the maintenance performed on the system, while having required access authorizations refers to maintenance on and near the system. Individuals who have not been previously identified as authorized maintenance personnel (e.g., manufacturers, consultants, systems integrators, and vendors) may require privileged access to the system, such as when they are required to conduct maintenance with little or no notice. Organizations may choose to issue temporary credentials to these individuals based on their risk assessments. Temporary credentials may be for one-time use or for very limited time periods.

View CPRT 03.07.06

  1. 03.07.06.a

    Establish a process for maintenance personnel authorization.

  1. 03.07.06.b

    Maintain a list of authorized maintenance organizations or personnel.

  1. 03.07.06.c

    Verify that non-escorted personnel who perform maintenance on the system possess the required access authorizations.

  1. 03.07.06.d

    Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.