MNT-10: Maintenance Validation

There is no evidence of a capability to validate: (1) Maintenance activities were appropriately performed according to the work order; and (2) Security controls are operational.

C|P-CMM1 is N/A, since a structured process is required to validate: (1) Maintenance activities were appropriately performed according to the work order; and (2) Security controls are operational.

Maintenance (MNT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to appropriately address applicable statutory, regulatory and contractual requirements for technology asset maintenance. o Develop and disseminate formal guidance to facilitate a localized/regionalized process to implement secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.

• Technology asset maintenance is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• IT/cybersecurity personnel:
• Maintenance controls are primarily administrative in nature (e.g., policies & standards) to manage change control processes associated with maintenance operations.
• Asset custodians develop and maintain formalized procedures to conduct controlled and timely maintenance activities throughout the lifecycle of the system, application or service.
• Maintenance operations may be centralized for certain locations (e.g., datacenters) and decentralized for other locations, both in terms of change management and execution.
• Facilities management uses a localized/regionalized process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations.

Maintenance (MNT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• IT/cybersecurity personnel develop and disseminate formal practices to implement enterprise-wide capability to conduct secure and timely technology asset-specific maintenance operations, including preventative and reactionary maintenance operations.
• Technology asset-related maintenance operations are centralized in terms of change management and governance. Local/regional practices fall under the broader enterprise-wide technology asset maintenance program.
• Facilities management uses an enterprise-wide process to facilitate the secure and timely implementation of non-IT maintenance operations, including preventative and reactionary maintenance operations. Local/regional practices fall under the broader enterprise-wide facilities management program.
• A Change Control Board (CCB), or similar function, centrally manages the process of IT and non-IT maintenance operations to reduce the chance of business interruptions from maintenance operations.

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to validate: (1) Maintenance activities were appropriately performed according to the work order; and (2) Security controls are operational.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to validate: (1) Maintenance activities were appropriately performed according to the work order; and (2) Security controls are operational.