Create a control for review/maintenance/upkeep

[funnelfiasco]

In discussing #302 today:

• Don’t have a specific guidance around keeping dependencies up to date
• Have a policy for addressing SCA findings, but not frequency
• VM-05.03 somewhat addresses this at level 3
• Evan would like a “heartbeat” that the project is maintained
• Decision: have a level 2 or 3 control around frequency of review / maintenance / upkeep
• Decision: consider adding a criteria around a dated statement that the software is currently maintained (this is an inverse of DO-04 and DO-05, because @evankanderson doesn't believe in statements about the future)