This post explains how to implement logging, continuous monitoring, and structured approval workflows to supervise maintenance activities performed by non-authorized staff (contractors, temporary workers, vendors) to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control MA.L2-3.7.6. It focuses on practical steps a small business can take right away: policy changes, technical controls, evidence collection, and affordable tools to create an auditable, secure maintenance process.
What MA.L2-3.7.6 requires (practical interpretation)
At its core, the control requires that any maintenance performed by personnel who are not explicitly authorized must be supervised in a way that prevents unauthorized change or data exposure and produces auditable artifacts. For small organizations this means: require pre-approval, limit access (time-bound and scoped), monitor sessions and log activity, and retain logs and approvals as evidence. Implementation must show that non-authorized staff cannot perform unsupervised, unlogged maintenance actions on systems processing Controlled Unclassified Information (CUI) or other sensitive assets.
Step-by-step implementation — logging, monitoring, and approvals
Start with a written maintenance policy and a change-request template that requires: system inventory item, scope of work, start/end times, access needed, sponsoring employee, and supervisor/approval sign-off. Integrate that approval into a ticketing system (ServiceNow, Jira Service Management, or a lower-cost option like Freshservice/Jira Core). Require the ticket to exist and be approved before access is granted. Configure temporary credentials (time-limited accounts, JIT elevation) and technical constraints to make the ticket the gate for access.
Logging: what to collect and how
Collect comprehensive logs from endpoints, servers, network devices, PAM/jump host, remote-access solutions, and the ticketing/approval system. Examples of technical configurations: enable Windows Sysmon and forward Event IDs 4688 (process creation), 4672 (privileged logon), 7045 (service install); use Windows Event Forwarding (WEF) to a collector or run an agent (Wazuh/Splunk/Elastic). On Linux, configure auditd rules (e.g., auditctl -w /etc/sudoers -p wa -k sudo_changes; auditctl -a always,exit -F arch=b64 -S execve -k exec_trace) and forward logs via rsyslog over TLS (TCP 6514) to a central collector. For network devices, use RFC5424 syslog over TLS. Ensure log timestamps are synchronized (NTP) and that log transport uses TLS with certificate validation. Retain audit logs in a protected, write-once or integrity-checked store (WORM or hashed archives with SHA-256) for your policy-defined retention (small business best practice: hot logs 90 days, archived for 1 year minimum for CUI-related systems).
Monitoring and session supervision
Implement active monitoring and session recording. Use a bastion/jump host and force remote maintenance through it so every SSH/RDP session is proxied and recorded (OpenSSH ForceCommand logging, OpenSSH session recording tools, commercial PAM solutions like BeyondTrust, CyberArk, or affordable options such as Teleport or Bastion-host + tlog). Configure SIEM rules to trigger alerts for: maintenance outside approved windows, changes to privileged groups, service installations, large data transfers, or the use of generic vendor accounts. Example rule: if a contractor identity performs 'chown' or 'chmod' on a directory with CUI and no open approved ticket exists, generate a high-priority alert and automatically notify the sponsor by SMS/email. For remote vendors, require use of company-provided remote-access with session shadowing enabled; if the vendor insists on their tools, require a company observer that can join and record the session.
Approval workflows and temporary access controls
Integrate the approval ticket with access provisioning. Use your IAM/PAM to create time-bound credentials that are automatically revoked at ticket end. For cloud: issue temporary STS tokens or use Azure AD PIM/Azure AD-eligible role activation with MFA and activity logging. For on-premises: create temporary sudoers entries (via a configuration-management tool) or issue one-time SSH keys tied to the ticket ID. Put a human-in-the-loop: a named internal sponsor must approve and be available during the work. Document the requirement that a company representative act as an observer — either physically or by remote session monitoring — and record an after-action report attached to the ticket along with the relevant logs (screenshots, session recordings, log extracts hashed and stored).
Real-world small-business scenarios
Example A (local contractor replacing a server disk): the IT director opens a maintenance ticket specifying system, maintenance window, required access (console only), and expected outcomes. A temporary console account is generated by the PAM for a 2-hour window; the contractor connects via the company jump host while an internal technician watches the session. Syslog and auditd capture disk replacement commands and partitioning operations; the session recording and logs are attached to the ticket and archived. Example B (vendor software upgrade): vendor requests remote access. The vendor must use the company-managed remote-access tool that enforces MFA, session recording, and IP allow-listing. The SIEM watches for write access to application config files and unexpected outbound connections during the upgrade window and sends real-time alerts to the sponsor.
Compliance tips, tooling, and best practices
Practical tips: map the maintenance process to artifacts auditors expect (policy, tickets, access logs, session recordings, after-action reports). Start small: centralize logs with an open-source stack (Wazuh + Elastic + Filebeat + Logstash) or a low-cost SIEM (Splunk Light, Datadog). Implement NTP time sync, secure log transport with TLS, and log integrity hashing. Use least-privilege and JIT access for temporary accounts. For vendors, include maintenance rules in contracts (approved methods, required supervision, liability clauses). Maintain a runbook that enumerates which systems demand stricter supervision (CUI hosts) and which can be handled with lighter controls. Periodically test the workflow with tabletop exercises and include forensic-ready steps so logs are preserved if you need to investigate.
Risks of not implementing MA.L2-3.7.6
Failure to supervise non-authorized maintenance opens multiple risks: unauthorized configuration changes, backdoors planted by a malicious or compromised vendor, accidental destruction of data, and undetected exfiltration of CUI. From a compliance perspective, lack of auditable evidence (tickets, logs, session recordings) can lead to failed assessments, contract penalties, and loss of DoD work for organizations handling CUI. Operationally, unsupervised maintenance increases mean-time-to-detect and mean-time-to-respond, raising the chance that a breach goes unnoticed and expands lateral movement across critical systems.
In summary, meet MA.L2-3.7.6 by combining policy, process, and technical controls: require pre-approved tickets; enforce temporary, scoped access through IAM/PAM; collect and protect comprehensive logs (endpoint, network, PAM, ticketing); enable session monitoring/recording; and archive approval artifacts and logs with integrity protections. Small businesses can implement these affordably by prioritizing high-risk systems, using open-source collectors and SIEMs, enforcing jump-host access, and baking supervision requirements into vendor contracts and change-control playbooks—producing a defensible, auditable maintenance process that satisfies NIST/CMMC expectations.
