Secure Controls Framework
Download The SCF

Maintenance (MNT)

Domain Principle

Proactively maintain Technology Assets, Applications and Services (TAAS) through authorized maintenance practices that preserve performance, security, compliance, resilience and supportability.

Domain Intent

Organizations perform, monitor and document maintenance for TAAS, including third-party-supported or hosted technologies, to preserve operational effectiveness and apply additional scrutiny to end-of-life or unsupported components.

Domain Guide

Systems that are not maintained degrade. Firmware becomes outdated, patches accumulate, performance degrades and supportability erodes. The MNT domain governs authorized maintenance practices for TAAS to preserve performance, security, compliance, resilience and supportability across the asset lifecycle.

 

The SCF's intent for MNT adds specific scrutiny for End of Life (EoL) and unsupported components. This matters because EoL assets are a persistent security problem. Vendors stop releasing patches; known vulnerabilities accumulate without remediation; compensating controls are often inadequate substitutes for current software. MNT requires organizations to apply additional scrutiny to these assets rather than treating them as acceptable business as usual.

 

MNT is distinct from Vulnerability and Patch Management (VPM) because maintenance encompasses more than patching. Hardware maintenance, third-party-supported system oversight and the documentation of maintenance activities are all within MNT scope. VPM governs the specific discipline of identifying and remediating vulnerabilities; MNT governs the broader practice of keeping systems supportable and operational.