>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC
Compare

MA-1Policy And Procedures

>Control Description

Enterprises should ensure that C-SCRM is included in maintenance policies and procedures and any related SCRM Strategy/Implementation Plan, SCRM Policies, and SCRM Plan(s) for all enterprise information systems and networks. With many maintenance contracts, information on mission-, enterprise-, and system-specific objectives and requirements is shared between the enterprise and its suppliers, developers, system integrators, external system service providers, and other ICT/OTrelated service providers, allowing for vulnerabilities and opportunities for attack. In many cases, the maintenance of systems is outsourced to a system integrator, and as such, appropriate measures must be taken. Even when maintenance is not outsourced, the supply chain affects upgrades, patches, the frequency of maintenance, replacement parts, and other aspects of system maintenance. Maintenance policies should be defined for both the system and the network. The maintenance policy should reflect controls based on a risk assessment (including criticality analysis), such as remote access, the roles and attributes of maintenance personnel who have access, the frequency of updates, duration of the contract, the logistical path and method used for updates or maintenance, and monitoring and audit mechanisms. The maintenance policy should state which tools are explicitly allowed or not allowed. For example, in the case of software maintenance, the contract should state the source code, test cases, and other item accessibility needed to maintain a system or components. Maintenance policies should be refined and augmented at each level. At Level 1, the policy should explicitly assert that C-SCRM should be applied throughout the SDLC, including maintenance activities. At Level 2, the policy should reflect the mission operation’s needs and critical functions. At Level 3, it should reflect the specific system needs. The requirements in Level 1, such as nonlocal maintenance, should flow to Level 2 and Level 3. For example, when nonlocal maintenance is not allowed by Level 1, it should also not be allowed at Level 2 or Level 3. The enterprise should communicate applicable maintenance policy requirements to relevant prime contractors and require that they implement this control and flow down this requirement to relevant sub-tier contractors.

>Cross-Framework Mappings

SCF

MNT-01
Compare
MNT-05.2
Compare
MNT-05.1
Compare
GOV-03
Compare
GOV-02
Compare

Ask AI

Configure your API key to use AI features.