Skip to main content

MNT-01: Maintenance Operations

MNT 9 — Critical Govern

Mechanisms exist to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.

Control Question: Does the organization develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise?

General (35)
Framework Mapping Values
CSA IoT SCF 2 OPA-01
GovRAMP Low MA-01
GovRAMP Low+ MA-01
GovRAMP Moderate MA-01
GovRAMP High MA-01
ISO 27002 2022 7.13
ISO 27017 2015 11.2.4
MPA Content Security Program 5.1 TS-2.6
NIST Privacy Framework 1.0 PR.MA-P1
NIST 800-53 R4 MA-1
NIST 800-53 R4 (low) MA-1
NIST 800-53 R4 (moderate) MA-1
NIST 800-53 R4 (high) MA-1
NIST 800-53 R5 (source) MA-1
NIST 800-53B R5 (low) (source) MA-1
NIST 800-53B R5 (moderate) (source) MA-1
NIST 800-53B R5 (high) (source) MA-1
NIST 800-82 R3 LOW OT Overlay MA-1
NIST 800-82 R3 MODERATE OT Overlay MA-1
NIST 800-82 R3 HIGH OT Overlay MA-1
NIST 800-160 3.4.13
NIST 800-161 R1 MA-1
NIST 800-161 R1 C-SCRM Baseline MA-1
NIST 800-161 R1 Flow Down MA-1
NIST 800-161 R1 Level 1 MA-1
NIST 800-161 R1 Level 2 MA-1
NIST 800-161 R1 Level 3 MA-1
NIST 800-171 R2 (source) NFO-MA-1
NIST 800-171 R3 (source) 03.04.03.c 03.07.04.a 03.07.06.a
NIST CSF 2.0 (source) PR.PS PR.PS-02 PR.PS-03
OWASP Top 10 2021 A06:2021
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) MNT-01
SCF CORE ESP Level 1 Foundational MNT-01
SCF CORE ESP Level 2 Critical Infrastructure MNT-01
SCF CORE ESP Level 3 Advanced Threats MNT-01
US (23)
Framework Mapping Values
US CERT RMM 1.2 TM:SG4.SP1
US CJIS Security Policy 5.9.3 (source) MA-1
US CMS MARS-E 2.0 MA-1
US DHS CISA TIC 3.0 3.UNI.SADMI
US FDA 21 CFR Part 11 11.10 11.10(i) 11.10(k) 11.10(k)(1) 11.10(k)(2)
US FedRAMP R4 MA-1
US FedRAMP R4 (low) MA-1
US FedRAMP R4 (moderate) MA-1
US FedRAMP R4 (high) MA-1
US FedRAMP R4 (LI-SaaS) MA-1
US FedRAMP R5 (source) MA-1
US FedRAMP R5 (low) (source) MA-1
US FedRAMP R5 (moderate) (source) MA-1
US FedRAMP R5 (high) (source) MA-1
US FedRAMP R5 (LI-SaaS) (source) MA-1
US HIPAA Administrative Simplification 2013 (source) 164.310(a)(2)(iv) 164.310(d)(1)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.310(a)(2)(iv) 164.310(d)(1)
US IRS 1075 MA-1
US NISPOM 2020 8-304
US NNPI (unclass) 9.1 9.2
US - TX DIR Control Standards 2.0 MA-1
US - TX TX-RAMP Level 1 MA-1
US - TX TX-RAMP Level 2 MA-1
EMEA (8)
Framework Mapping Values
EMEA EU NIS2 21.2(e)
EMEA EU NIS2 Annex 4.3.2(c)
EMEA Austria Sec 14 Sec 15
EMEA Belgium 16
EMEA Saudi Arabia OTCC-1 2022 2-13-1-7
EMEA Saudi Arabia SACS-002 TPC-78
EMEA South Africa 19
EMEA Spain CCN-STIC 825 7.3.4 [OP.EXP.4]
APAC (5)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0305 ISM-1226
APAC Japan ISMAP 11.2.4
APAC New Zealand HISF 2022 HHSP15 HML15 HSUP13
APAC New Zealand HISF Suppliers 2023 HSUP13
APAC New Zealand NZISM 3.6 12.5.3.C.01 12.5.3.C.02 12.5.6.C.01 12.5.6.C.02
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.04.03.C 03.07.04.A 03.07.06.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.

Level 1 — Performed Informally

Maintenance (MNT) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT personnel use an informal process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactive maintenance operations.
  • Facilities management uses an informal process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactive maintenance operations.
  • Maintenance operations are decentralized both in terms of change management and execution.
  • Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.
Level 2 — Planned & Tracked

Maintenance (MNT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to appropriately address applicable statutory, regulatory and contractual requirements for technology asset maintenance. o Develop and disseminate formal guidance to facilitate a localized/regionalized process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.

  • Technology asset maintenance is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel:
  • Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.
  • Asset custodians develop and maintain formalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the system, application or service.
  • Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.
  • Facilities management uses a localized/regionalized process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations.
  • Asset custodians track maintenance activities and component failure rates.
Level 3 — Well Defined

Maintenance (MNT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for technology-related maintenance practices.
  • The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for technology-related maintenance.
  • A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to technology-related maintenance.
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including technology-related maintenance.
  • IT/cybersecurity personnel develop and disseminate formal practices to implement enterprise-wide capability to conduct secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
  • Technology asset-related maintenance operations are centralized in terms of change management and governance. Local/regional practices fall under the broader enterprise-wide technology asset maintenance program.
  • Facilities management uses an enterprise-wide process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations. Local/regional practices fall under the broader enterprise-wide facilities management program.
  • A Change Control Board (CCB), or similar function, centrally manages the process of IT and non-IT maintenance operations to reduce the chance of business interruptions from maintenance operations.
Level 4 — Quantitatively Controlled

Maintenance (MNT) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to develop, disseminate, review & update procedures to facilitate the implementation of maintenance controls across the enterprise.

Assessment Objectives

  1. MNT-01_A01 a maintenance policy is developed and documented.
  2. MNT-01_A02 the maintenance policy is disseminated to organization-defined personnel or roles.
  3. MNT-01_A03 maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented.
  4. MNT-01_A04 the maintenance procedures are disseminated to organization-defined personnel or roles.
  5. MNT-01_A05 personnel or roles to whom the maintenance policy is to be disseminated is/are defined.
  6. MNT-01_A06 personnel or roles to whom the maintenance procedures are to be disseminated is/are defined.
  7. MNT-01_A07 one or more of the following organization-defined criteria is/are selected: {organization-level. mission/business process-level. system-level}.
  8. MNT-01_A08 an official to manage the maintenance policy and procedures is defined.
  9. MNT-01_A09 the frequency with which the current maintenance policy is reviewed / updated is defined.
  10. MNT-01_A10 events that would require the current maintenance policy to be reviewed / updated are defined.
  11. MNT-01_A11 the frequency with which the current maintenance procedures are reviewed / updated is defined.
  12. MNT-01_A12 events that would require the maintenance procedures to be reviewed / updated are defined.
  13. MNT-01_A13 the organization's maintenance policy addresses purpose.
  14. MNT-01_A14 the organization's maintenance policy addresses scope.
  15. MNT-01_A15 the organization's maintenance policy addresses roles.
  16. MNT-01_A16 the organization's maintenance policy addresses responsibilities.
  17. MNT-01_A17 the organization's maintenance policy addresses management commitment.
  18. MNT-01_A18 the organization's maintenance policy addresses coordination among organizational entities.
  19. MNT-01_A19 the organization's maintenance policy addresses compliance.
  20. MNT-01_A20 the organization's maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.
  21. MNT-01_A21 the organization-defined official is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures.
  22. MNT-01_A22 the current maintenance policy is reviewed / updated organization-defined frequency.
  23. MNT-01_A23 the current maintenance policy is reviewed / updated following organization-defined events.
  24. MNT-01_A24 the current maintenance procedures are reviewed / updated organization-defined frequency.
  25. MNT-01_A25 the current maintenance procedures are reviewed / updated following organization-defined events.
  26. MNT-01_A26 maintenance management operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
  27. MNT-01_A27 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support maintenance management operations.
  28. MNT-01_A28 responsibility and authority for the performance of maintenance management-related activities are assigned to designated personnel.
  29. MNT-01_A29 personnel performing maintenance management-related activities have the skills and knowledge needed to perform their assigned duties.

Evidence Requirements

E-MNT-02 Maintenance Plan

Documented evidence of a Maintenance Plan. This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.

Maintenance
E-MNT-04 Infrastructure Maintenance

Documented evidence of maintenance activities for the organization's infrastructure and supporting systems.

Maintenance

Technology Recommendations

Micro/Small

  • IT maintenance program

Small

  • IT maintenance program

Medium

  • IT maintenance program

Large

  • IT maintenance program

Enterprise

  • IT maintenance program

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free