Skip to main content

MNT-06.2: Non-System Related Maintenance

MNT 5 — Medium Protect

Mechanisms exist to ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of systems have required access authorizations.

Control Question: Does the organization ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of systems have required access authorizations?

General (8)
Framework Mapping Values
NIST 800-53 R4 MA-5(5)
NIST 800-53 R5 (source) MA-5(5)
NIST 800-53 R5 (NOC) (source) MA-5(5)
NIST 800-171 R2 (source) 3.7.6
NIST 800-171 R3 (source) 03.07.06.a 03.07.06.c
NIST 800-171A R3 (source) A.03.07.06.c
SCF CORE ESP Level 2 Critical Infrastructure MNT-06.2
SCF CORE ESP Level 3 Advanced Threats MNT-06.2
US (2)
Framework Mapping Values
US CMMC 2.0 Level 2 (source) MA.L2-3.7.6
US IRS 1075 MA-5(5)
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.07.06.A 03.07.06.C

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of systems have required access authorizations.

Level 1 — Performed Informally

Maintenance (MNT) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT personnel use an informal process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactive maintenance operations.
  • Facilities management uses an informal process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactive maintenance operations.
  • Maintenance operations are decentralized both in terms of change management and execution.
Level 2 — Planned & Tracked

Maintenance (MNT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to appropriately address applicable statutory, regulatory and contractual requirements for technology asset maintenance. o Develop and disseminate formal guidance to facilitate a localized/regionalized process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.

  • Technology asset maintenance is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel:
  • Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.
  • Asset custodians develop and maintain formalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the system, application or service.
  • Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.
  • Facilities management uses a localized/regionalized process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations.
Level 3 — Well Defined

Maintenance (MNT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT/cybersecurity personnel develop and disseminate formal practices to implement enterprise-wide capability to conduct secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
  • Technology asset-related maintenance operations are centralized in terms of change management and governance. Local/regional practices fall under the broader enterprise-wide technology asset maintenance program.
  • Facilities management uses an enterprise-wide process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations. Local/regional practices fall under the broader enterprise-wide facilities management program.
  • A Change Control Board (CCB), or similar function, centrally manages the process of IT and non-IT maintenance operations to reduce the chance of business interruptions from maintenance operations.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of systems have required access authorizations.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure that non-escorted personnel performing non-IT maintenance activities in the physical proximity of systems have required access authorizations.

Assessment Objectives

  1. MNT-06.2_A01 non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations.
  2. MNT-06.2_A02 non-escorted personnel who perform maintenance on the system possess the required access authorizations.

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free