MNT-05.2: Remote Maintenance Notifications
Mechanisms exist to require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time).
Control Question: Does the organization require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time)?
General (25)
| Framework | Mapping Values |
|---|---|
| GovRAMP Low | MA-01 MA-04 |
| GovRAMP Low+ | MA-01 MA-04 |
| GovRAMP Moderate | MA-01 MA-04 |
| GovRAMP High | MA-01 MA-04 |
| MPA Content Security Program 5.1 | TS-2.6 |
| NIST 800-53 R4 | MA-4(2) |
| NIST 800-53 R4 (moderate) | MA-4(2) |
| NIST 800-53 R4 (high) | MA-4(2) |
| NIST 800-53 R5 (source) | MA-1 MA-4 |
| NIST 800-53B R5 (low) (source) | MA-1 MA-4 |
| NIST 800-53B R5 (moderate) (source) | MA-1 MA-4 |
| NIST 800-53B R5 (high) (source) | MA-1 MA-4 |
| NIST 800-82 R3 LOW OT Overlay | MA-1 MA-4 |
| NIST 800-82 R3 MODERATE OT Overlay | MA-1 MA-4 |
| NIST 800-82 R3 HIGH OT Overlay | MA-1 MA-4 |
| NIST 800-161 R1 | MA-1 MA-4 |
| NIST 800-161 R1 C-SCRM Baseline | MA-1 MA-4 |
| NIST 800-161 R1 Flow Down | MA-1 MA-4 |
| NIST 800-161 R1 Level 1 | MA-1 |
| NIST 800-161 R1 Level 2 | MA-1 MA-4 |
| NIST 800-161 R1 Level 3 | MA-1 MA-4 |
| NIST 800-171 R2 (source) | NFO-MA-4(2) |
| SCF CORE ESP Level 1 Foundational | MNT-05.2 |
| SCF CORE ESP Level 2 Critical Infrastructure | MNT-05.2 |
| SCF CORE ESP Level 3 Advanced Threats | MNT-05.2 |
US (9)
| Framework | Mapping Values |
|---|---|
| US CJIS Security Policy 5.9.3 (source) | MA-1 MA-4 |
| US CMS MARS-E 2.0 | MA-4(2) |
| US FedRAMP R4 | MA-4(2) |
| US FedRAMP R4 (moderate) | MA-4(2) |
| US FedRAMP R4 (high) | MA-4(2) |
| US HIPAA HICP Large Practice | 5.L.A |
| US IRS 1075 | MA-1 MA-4 |
| US - TX DIR Control Standards 2.0 | MA-1 MA-4 |
| US - TX TX-RAMP Level 2 | MA-4(2) |
EMEA (1)
| Framework | Mapping Values |
|---|---|
| EMEA Israel CDMO 1.0 | 12.7 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time).
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time).
Level 2 — Planned & Tracked
Maintenance (MNT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to appropriately address applicable statutory, regulatory and contractual requirements for technology asset maintenance. o Develop and disseminate formal guidance to facilitate a localized/regionalized process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
- Technology asset maintenance is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.
- Asset custodians develop and maintain formalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the system, application or service.
- Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.
- Facilities management uses a localized/regionalized process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations.
- Administrative processes require maintenance personnel to obtain pre-approval and scheduling for non-local maintenance sessions.
- Administrative processes require maintenance personnel to notify organization-defined personnel when non-local maintenance is planned (e.g., date/time).
Level 3 — Well Defined
Maintenance (MNT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- IT/cybersecurity personnel develop and disseminate formal practices to implement enterprise-wide capability to conduct secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
- Technology asset-related maintenance operations are centralized in terms of change management and governance. Local/regional practices fall under the broader enterprise-wide technology asset maintenance program.
- Facilities management uses an enterprise-wide process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations. Local/regional practices fall under the broader enterprise-wide facilities management program.
- A Change Control Board (CCB), or similar function, centrally manages the process of IT and non-IT maintenance operations to reduce the chance of business interruptions from maintenance operations.
- Administrative processes require maintenance personnel to obtain pre-approval and scheduling for non-local maintenance sessions.
- Administrative processes require maintenance personnel to notify organization-defined personnel when non-local maintenance is planned (e.g., date/time).
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time).
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to require maintenance personnel to notify affected stakeholders when remote, non-local maintenance is planned (e.g., date/time).
Assessment Objectives
- MNT-05.2_A01 personnel and roles to be notified of the date and time of planned nonlocal maintenance is/are defined.
- MNT-05.2_A02 personnel and roles are notified of the date and time of planned nonlocal maintenance.