MNT-03: Timely Maintenance
Mechanisms exist to obtain maintenance support and/or spare parts for Technology Assets, Applications and/or Services (TAAS) within a defined Recovery Time Objective (RTO).
Control Question: Does the organization obtain maintenance support and/or spare parts for Technology Assets, Applications and/or Services (TAAS) within a defined Recovery Time Objective (RTO)?
General (24)
| Framework | Mapping Values |
|---|---|
| CSA IoT SCF 2 | OPA-01 |
| GovRAMP Low+ | MA-06 |
| GovRAMP Moderate | MA-06 |
| GovRAMP High | MA-06 |
| ISO 27002 2022 | 7.13 |
| NIST 800-53 R4 | MA-6 |
| NIST 800-53 R4 (moderate) | MA-6 |
| NIST 800-53 R4 (high) | MA-6 |
| NIST 800-53 R5 (source) | MA-6 |
| NIST 800-53B R5 (moderate) (source) | MA-6 |
| NIST 800-53B R5 (high) (source) | MA-6 |
| NIST 800-82 R3 MODERATE OT Overlay | MA-6 |
| NIST 800-82 R3 HIGH OT Overlay | MA-6 |
| NIST 800-160 | 3.4.13 |
| NIST 800-161 R1 | MA-6 |
| NIST 800-161 R1 Level 3 | MA-6 |
| NIST 800-171 R3 (source) | 03.07.04.a |
| NIST CSF 2.0 (source) | PR.PS-02 PR.PS-03 |
| OWASP Top 10 2021 | A06:2021 |
| PCI DSS 4.0.1 (source) | 10.7 11.3 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MNT-03 |
| SCF CORE ESP Level 1 Foundational | MNT-03 |
| SCF CORE ESP Level 2 Critical Infrastructure | MNT-03 |
| SCF CORE ESP Level 3 Advanced Threats | MNT-03 |
US (14)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | TM:SG5.SP2 |
| US CJIS Security Policy 5.9.3 (source) | MA-6 |
| US CMS MARS-E 2.0 | MA-6 |
| US FedRAMP R4 | MA-6 |
| US FedRAMP R4 (moderate) | MA-6 |
| US FedRAMP R4 (high) | MA-6 |
| US FedRAMP R5 (source) | MA-6 |
| US FedRAMP R5 (moderate) (source) | MA-6 |
| US FedRAMP R5 (high) (source) | MA-6 |
| US HIPAA HICP Large Practice | 5.L.A |
| US IRS 1075 | MA-6 |
| US NISPOM 2020 | 8-304 |
| US NNPI (unclass) | 9.1 |
| US - TX TX-RAMP Level 2 | MA-6 |
EMEA (1)
| Framework | Mapping Values |
|---|---|
| EMEA UK DEFSTAN 05-138 | 2511 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.07.04.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to obtain maintenance support and/ or spare parts for Technology Assets, Applications and/or Services (TAAS) within a defined Recovery Time Objective (RTO).
Level 1 — Performed Informally
Maintenance (MNT) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- IT personnel use an informal process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactive maintenance operations.
- Facilities management uses an informal process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactive maintenance operations.
- Maintenance operations are decentralized both in terms of change management and execution.
- Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.
Level 2 — Planned & Tracked
Maintenance (MNT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to appropriately address applicable statutory, regulatory and contractual requirements for technology asset maintenance. o Develop and disseminate formal guidance to facilitate a localized/regionalized process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
- Technology asset maintenance is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.
- Asset custodians develop and maintain formalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the system, application or service.
- Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.
- Facilities management uses a localized/regionalized process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations.
Level 3 — Well Defined
Maintenance (MNT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- IT/cybersecurity personnel develop and disseminate formal practices to implement enterprise-wide capability to conduct secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
- Technology asset-related maintenance operations are centralized in terms of change management and governance. Local/regional practices fall under the broader enterprise-wide technology asset maintenance program.
- Facilities management uses an enterprise-wide process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations. Local/regional practices fall under the broader enterprise-wide facilities management program.
- A Change Control Board (CCB), or similar function, centrally manages the process of IT and non-IT maintenance operations to reduce the chance of business interruptions from maintenance operations.
Level 4 — Quantitatively Controlled
Maintenance (MNT) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to obtain maintenance support and/ or spare parts for Technology Assets, Applications and/or Services (TAAS) within a defined Recovery Time Objective (RTO).
Assessment Objectives
- MNT-03_A01 system components for which maintenance support and/or spare parts are obtained are defined.
- MNT-03_A02 time period within which maintenance support and/or spare parts are to be obtained after a failure are defined.
- MNT-03_A03 maintenance support and/or spare parts are obtained for system components within an organization-defined time period of failure.
Evidence Requirements
- E-MNT-04 Infrastructure Maintenance
-
Documented evidence of maintenance activities for the organization's infrastructure and supporting systems.
Maintenance