MNT-04: Maintenance Tools
Mechanisms exist to control and monitor the use of system maintenance tools.
Control Question: Does the organization control and monitor the use of system maintenance tools?
General (27)
| Framework | Mapping Values |
|---|---|
| CIS CSC 8.1 | 2.7 |
| CIS CSC 8.1 IG3 | 2.7 |
| GovRAMP Core | MA-03 |
| GovRAMP Low+ | MA-03 |
| GovRAMP Moderate | MA-03 |
| GovRAMP High | MA-03 |
| ISO/SAE 21434 2021 | RQ-05-14 |
| NIST 800-53 R4 | MA-3 |
| NIST 800-53 R4 (moderate) | MA-3 |
| NIST 800-53 R4 (high) | MA-3 |
| NIST 800-53 R5 (source) | MA-3 MA-3(5) MA-3(6) |
| NIST 800-53B R5 (moderate) (source) | MA-3 |
| NIST 800-53B R5 (high) (source) | MA-3 |
| NIST 800-53 R5 (NOC) (source) | MA-3(5) MA-3(6) |
| NIST 800-82 R3 MODERATE OT Overlay | MA-3 |
| NIST 800-82 R3 HIGH OT Overlay | MA-3 |
| NIST 800-160 | 3.4.13 |
| NIST 800-161 R1 | MA-3 |
| NIST 800-161 R1 Level 2 | MA-3 |
| NIST 800-161 R1 Level 3 | MA-3 |
| NIST 800-171 R2 (source) | 3.7.2 |
| NIST 800-171A (source) | 3.7.2[a] 3.7.2[b] 3.7.2[c] 3.7.2[d] |
| NIST 800-171 R3 (source) | 03.07.04.a |
| NIST 800-171A R3 (source) | A.03.07.04.a[01] A.03.07.04.a[02] A.03.07.04.a[03] |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MNT-04 |
| SCF CORE ESP Level 2 Critical Infrastructure | MNT-04 |
| SCF CORE ESP Level 3 Advanced Threats | MNT-04 |
US (16)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | AM:SG1.SP1 TM:SG4.SP1 |
| US CJIS Security Policy 5.9.3 (source) | MA-3 |
| US CMMC 2.0 Level 2 (source) | MA.L2-3.7.2 |
| US CMMC 2.0 Level 3 (source) | MA.L2-3.7.2 |
| US CMS MARS-E 2.0 | MA-3 |
| US FedRAMP R4 | MA-3 |
| US FedRAMP R4 (moderate) | MA-3 |
| US FedRAMP R4 (high) | MA-3 |
| US FedRAMP R5 (source) | MA-3 |
| US FedRAMP R5 (moderate) (source) | MA-3 |
| US FedRAMP R5 (high) (source) | MA-3 |
| US HIPAA HICP Large Practice | 5.L.A |
| US IRS 1075 | MA-3 MA-3(5) |
| US NISPOM 2020 | 8-304 |
| US NNPI (unclass) | 9.2 |
| US - TX TX-RAMP Level 2 | MA-3 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.07.04.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to control and monitor the use of system maintenance tools.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to control and monitor the use of system maintenance tools.
Level 2 — Planned & Tracked
Maintenance (MNT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to appropriately address applicable statutory, regulatory and contractual requirements for technology asset maintenance. o Develop and disseminate formal guidance to facilitate a localized/regionalized process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
- Technology asset maintenance is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.
- Asset custodians develop and maintain formalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the system, application or service.
- Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.
- Facilities management uses a localized/regionalized process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations.
- Administrative processes and technologies exist to control and monitor the use of system maintenance tools.
- Administrative processes and technologies exist to inspect maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Level 3 — Well Defined
Maintenance (MNT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- IT/cybersecurity personnel develop and disseminate formal practices to implement enterprise-wide capability to conduct secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
- Technology asset-related maintenance operations are centralized in terms of change management and governance. Local/regional practices fall under the broader enterprise-wide technology asset maintenance program.
- Facilities management uses an enterprise-wide process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations. Local/regional practices fall under the broader enterprise-wide facilities management program.
- A Change Control Board (CCB), or similar function, centrally manages the process of IT and non-IT maintenance operations to reduce the chance of business interruptions from maintenance operations.
- Administrative processes and technologies exist to control and monitor the use of system maintenance tools.
- Administrative processes and technologies exist to inspect maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Level 4 — Quantitatively Controlled
Maintenance (MNT) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to control and monitor the use of system maintenance tools.
Assessment Objectives
- MNT-04_A01 tools used to conduct system maintenance are controlled.
- MNT-04_A02 techniques used to conduct system maintenance are controlled.
- MNT-04_A03 mechanisms used to conduct system maintenance are controlled.
- MNT-04_A04 personnel used to conduct system maintenance are controlled.
- MNT-04_A05 the use of maintenance tools that execute with increased privilege is monitored.
- MNT-04_A06 the frequency at which to review previously approved system maintenance tools is defined.
- MNT-04_A07 the use of system maintenance tools is approved.
- MNT-04_A08 the use of system maintenance tools is controlled.
- MNT-04_A09 the use of system maintenance tools is monitored.
- MNT-04_A10 previously approved system maintenance tools are reviewed per an organization-defined frequency.
- MNT-04_A11 maintenance tools are inspected to ensure that the latest software updates and patches are installed.