MNT-06.1: Maintenance Personnel Without Appropriate Access
Mechanisms exist to ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.
Control Question: Does the organization ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated?
General (18)
| Framework | Mapping Values |
|---|---|
| GovRAMP Moderate | MA-05(01) |
| GovRAMP High | MA-05(01) |
| NIST 800-53 R4 | MA-5(1) MA-5(2) MA-5(3) MA-5(4) |
| NIST 800-53 R4 (high) | MA-5(1) |
| NIST 800-53 R5 (source) | MA-5(1) MA-5(2) MA-5(3) MA-5(4) |
| NIST 800-53B R5 (high) (source) | MA-5(1) |
| NIST 800-53 R5 (NOC) (source) | MA-5(2) MA-5(3) MA-5(4) |
| NIST 800-82 R3 HIGH OT Overlay | MA-5(1) |
| NIST 800-161 R1 | MA-5(4) |
| NIST 800-161 R1 Flow Down | MA-5(4) |
| NIST 800-161 R1 Level 2 | MA-5(4) |
| NIST 800-161 R1 Level 3 | MA-5(4) |
| NIST 800-171 R2 (source) | 3.7.6 |
| NIST 800-171 R3 (source) | 03.07.06.a 03.07.06.c 03.07.06.d |
| NIST 800-171A R3 (source) | A.03.07.06.c |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MNT-06.1 |
| SCF CORE ESP Level 2 Critical Infrastructure | MNT-06.1 |
| SCF CORE ESP Level 3 Advanced Threats | MNT-06.1 |
US (9)
| Framework | Mapping Values |
|---|---|
| US CMMC 2.0 Level 2 (source) | MA.L2-3.7.6 |
| US FedRAMP R4 | MA-5(1) |
| US FedRAMP R4 (moderate) | MA-5(1) |
| US FedRAMP R4 (high) | MA-5(1) |
| US FedRAMP R5 (source) | MA-5(1) |
| US FedRAMP R5 (moderate) (source) | MA-5(1) |
| US FedRAMP R5 (high) (source) | MA-5(1) |
| US HIPAA HICP Large Practice | 5.L.A |
| US - TX TX-RAMP Level 2 | MA-5(1) |
EMEA (3)
| Framework | Mapping Values |
|---|---|
| EMEA Israel CDMO 1.0 | 12.7 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-13-1-7 |
| EMEA UK DEFSTAN 05-138 | 2513 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0306 |
| APAC New Zealand NZISM 3.6 | 12.5.4.C.01 12.5.4.C.02 12.5.4.C.03 12.5.4.C.04 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.07.06.A 03.07.06.C 03.07.06.D |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.
Level 2 — Planned & Tracked
Maintenance (MNT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to appropriately address applicable statutory, regulatory and contractual requirements for technology asset maintenance. o Develop and disseminate formal guidance to facilitate a localized/regionalized process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
- Technology asset maintenance is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
- Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.
- Asset custodians develop and maintain formalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the system, application or service.
- Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.
- Facilities management uses a localized/regionalized process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations.
- Administrative processes ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.
Level 3 — Well Defined
Maintenance (MNT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- IT/cybersecurity personnel develop and disseminate formal practices to implement enterprise-wide capability to conduct secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
- Technology asset-related maintenance operations are centralized in terms of change management and governance. Local/regional practices fall under the broader enterprise-wide technology asset maintenance program.
- Facilities management uses an enterprise-wide process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations. Local/regional practices fall under the broader enterprise-wide facilities management program.
- A Change Control Board (CCB), or similar function, centrally manages the process of IT and non-IT maintenance operations to reduce the chance of business interruptions from maintenance operations.
- Administrative processes ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure the risks associated with maintenance personnel who do not have appropriate access authorizations, clearances or formal access approvals are appropriately mitigated.
Assessment Objectives
- MNT-06.1_A01 maintenance personnel without required access authorization are supervised during maintenance activities.
- MNT-06.1_A02 organizational personnel with required access authorizations are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.
- MNT-06.1_A03 procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities.
- MNT-06.1_A04 procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities.
- MNT-06.1_A05 alternate controls are developed and implemented in the event that a system cannot be sanitized, removed or disconnected from the system.
- MNT-06.1_A06 personnel performing maintenance and diagnostic activities on a system processing, storing or transmitting sensitive / regulated data possess security clearances for at least the highest classification level and for compartments of information on the system.
- MNT-06.1_A07 personnel performing maintenance and diagnostic activities on a system processing, storing or transmitting sensitive / regulated data possess formal access approvals for at least the highest classification level and for compartments of information on the system.
- MNT-06.1_A08 personnel performing maintenance and diagnostic activities on a system processing, storing or transmitting sensitive / regulated data are U.S. citizens.
- MNT-06.1_A09 foreign nationals are used to conduct maintenance and diagnostic activities on systems only when approved and authorized.
- MNT-06.1_A10 approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.
- MNT-06.1_A11 consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.
- MNT-06.1_A12 detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.
- MNT-06.1_A13 non-escorted personnel who perform maintenance on the system possess the required access authorizations.
- MNT-06.1_A14 organizational personnel with required technical competence are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.
Evidence Requirements
- E-MNT-01 Maintenance - Authorized Maintenance Personnel
-
Documented evidence of personnel who have designated maintenance roles.
Maintenance
Technology Recommendations
Micro/Small
- Role Based Access Control (RBAC)
Small
- Role Based Access Control (RBAC)
Medium
- Role Based Access Control (RBAC)
Large
- Role Based Access Control (RBAC)
Enterprise
- Role Based Access Control (RBAC)