Skip to main content

MNT-02: Controlled Maintenance

MNT 10 — Critical Protect

Mechanisms exist to conduct controlled maintenance activities throughout the lifecycle of the Technology Asset, Application and/or Service (TAAS).

Control Question: Does the organization conduct controlled maintenance activities throughout the lifecycle of theTechnology Asset, Application and/or Service (TAAS)?

General (31)
Framework Mapping Values
CSA IoT SCF 2 OPA-01
GovRAMP Low MA-02
GovRAMP Low+ MA-02
GovRAMP Moderate MA-02
GovRAMP High MA-02
ISO 27002 2022 7.13
ISO 27017 2015 11.2.4
MPA Content Security Program 5.1 TS-2.6
NIST 800-53 R4 MA-2
NIST 800-53 R4 (low) MA-2
NIST 800-53 R4 (moderate) MA-2
NIST 800-53 R4 (high) MA-2
NIST 800-53 R5 (source) MA-2
NIST 800-53B R5 (low) (source) MA-2
NIST 800-53B R5 (moderate) (source) MA-2
NIST 800-53B R5 (high) (source) MA-2
NIST 800-82 R3 LOW OT Overlay MA-2
NIST 800-82 R3 MODERATE OT Overlay MA-2
NIST 800-82 R3 HIGH OT Overlay MA-2
NIST 800-160 3.4.13
NIST 800-161 R1 MA-2
NIST 800-171 R2 (source) 3.7.1
NIST 800-171A (source) 3.7.1
NIST 800-171 R3 (source) 03.04.03.c 03.07.04.a 03.07.05.a
NIST 800-171A R3 (source) A.03.04.03.c[01]
NIST CSF 2.0 (source) PR.PS PR.PS-02 PR.PS-03
OWASP Top 10 2021 A06:2021
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) MNT-02
SCF CORE ESP Level 1 Foundational MNT-02
SCF CORE ESP Level 2 Critical Infrastructure MNT-02
SCF CORE ESP Level 3 Advanced Threats MNT-02
US (25)
Framework Mapping Values
US CERT RMM 1.2 TM:SG5.SP2
US CJIS Security Policy 5.9.3 (source) MA-2
US CMMC 2.0 Level 2 (source) MA.L2-3.7.1
US CMMC 2.0 Level 3 (source) MA.L2-3.7.1
US CMS MARS-E 2.0 MA-2
US FedRAMP R4 MA-2
US FedRAMP R4 (low) MA-2
US FedRAMP R4 (moderate) MA-2
US FedRAMP R4 (high) MA-2
US FedRAMP R4 (LI-SaaS) MA-2
US FedRAMP R5 (source) MA-2
US FedRAMP R5 (low) (source) MA-2
US FedRAMP R5 (moderate) (source) MA-2
US FedRAMP R5 (high) (source) MA-2
US FedRAMP R5 (LI-SaaS) (source) MA-2
US FFIEC D3.CC.Re.Int.5 D3.CC.Re.Int.6
US HIPAA Administrative Simplification 2013 (source) 164.310(a)(2)(iv)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.310(a)(2)(iv)
US HIPAA HICP Large Practice 5.L.A
US IRS 1075 MA-2
US NISPOM 2020 8-304
US NNPI (unclass) 9.1 9.2
US - TX DIR Control Standards 2.0 MA-2
US - TX TX-RAMP Level 1 MA-2
US - TX TX-RAMP Level 2 MA-2
EMEA (2)
Framework Mapping Values
EMEA Saudi Arabia SACS-002 TPC-78
EMEA UK DEFSTAN 05-138 2511
APAC (4)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-1079
APAC India SEBI CSCRF PR.MA.S1
APAC Japan ISMAP 11.2.4
APAC New Zealand NZISM 3.6 12.5.3.C.01 12.5.3.C.02 12.5.6.C.01 12.5.6.C.02
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.04.03.C 03.07.04.A 03.07.05.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to conduct controlled maintenance activities throughout the lifecycle of theTechnology Asset, Application and/or Service (TAAS).

Level 1 — Performed Informally

Maintenance (MNT) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT personnel use an informal process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactive maintenance operations.
  • Facilities management uses an informal process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactive maintenance operations.
  • Maintenance operations are decentralized both in terms of change management and execution.
  • Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.
Level 2 — Planned & Tracked

Maintenance (MNT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to appropriately address applicable statutory, regulatory and contractual requirements for technology asset maintenance. o Develop and disseminate formal guidance to facilitate a localized/regionalized process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.

  • Technology asset maintenance is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel:
  • Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.
  • Asset custodians develop and maintain formalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of theTechnology Asset, Application and/or Service (TAAS).
  • Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.
  • Facilities management uses a localized/regionalized process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations.
  • Asset custodians track maintenance activities and component failure rates.
  • Administrative processes and technologies exist to conduct controlled and timely maintenance activities throughout the lifecycle of theTechnology Asset, Application and/or Service (TAAS).
  • Administrative processes and technologies exist to enforce a two-pers on rule for implementing changes to sensitive/regulated systems.
Level 3 — Well Defined

Maintenance (MNT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT/cybersecurity personnel develop and disseminate formal practices to implement enterprise-wide capability to conduct secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
  • Technology asset-related maintenance operations are centralized in terms of change management and governance. Local/regional practices fall under the broader enterprise-wide technology asset maintenance program.
  • Facilities management uses an enterprise-wide process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations. Local/regional practices fall under the broader enterprise-wide facilities management program.
  • A Change Control Board (CCB), or similar function, centrally manages the process of IT and non-IT maintenance operations to reduce the chance of business interruptions from maintenance operations.
  • Administrative processes and technologies exist to conduct controlled and timely maintenance activities throughout the lifecycle of theTechnology Asset, Application and/or Service (TAAS).
  • Administrative processes and technologies exist to enforce a two-pers on rule for implementing changes to sensitive/regulated systems.
Level 4 — Quantitatively Controlled

Maintenance (MNT) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to conduct controlled maintenance activities throughout the lifecycle of theTechnology Asset, Application and/or Service (TAAS).

Assessment Objectives

  1. MNT-02_A01 maintenance, repair and replacement of systems, applications and/or services are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements.
  2. MNT-02_A02 approved configuration-controlled changes to the system are implemented.
  3. MNT-02_A03 system maintenance is performed.
  4. MNT-02_A04 personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined.
  5. MNT-02_A05 information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair or replacement is defined.
  6. MNT-02_A06 information to be included in organizational maintenance records is defined.
  7. MNT-02_A07 maintenance, repair and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements.
  8. MNT-02_A08 records of maintenance, repair and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements.
  9. MNT-02_A09 all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved.
  10. MNT-02_A10 all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored.
  11. MNT-02_A11 personnel or roles is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair or replacement.
  12. MNT-02_A12 equipment is sanitized to remove information from associated media prior to removal from organizational facilities for off-site maintenance, repair or replacement.
  13. MNT-02_A13 all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair or replacement actions.
  14. MNT-02_A14 information is included in organizational maintenance records.

Evidence Requirements

E-MNT-04 Infrastructure Maintenance

Documented evidence of maintenance activities for the organization's infrastructure and supporting systems.

Maintenance

Technology Recommendations

Micro/Small

  • IT maintenance program

Small

  • IT maintenance program

Medium

  • IT maintenance program
  • VisibleOps security management

Large

  • IT maintenance program
  • VisibleOps security management

Enterprise

  • IT maintenance program
  • VisibleOps security management

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free