NIST 800-53 r5 · Controls catalogue · Family MA

MA-5Maintenance Personnel

Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (0)

No ATT&CK techniques mapped to this control yet.

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-862`	Missing Authorization	8,680	Maintains lists of authorized personnel and verifies required access authorizations before allowing maintenance.
`CWE-284`	Improper Access Control	4,832	Establishes authorization processes, verification, and supervision to prevent unauthorized access during maintenance activities.
`CWE-863`	Incorrect Authorization	3,234	Verifies that non-escorted maintenance personnel possess required access authorizations to avoid incorrect authorization.
`CWE-269`	Improper Privilege Management	2,907	Manages privileges by authorizing only approved personnel and supervising those lacking required authorizations for maintenance.
`CWE-285`	Improper Authorization	1,230	Requires verification of access authorizations and designation of supervisors for maintenance personnel without proper authorizations.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family MA

MA-1 MA-2 MA-3 MA-4 MA-6 MA-7