Back to Control Explorer



Control Acronym



System And Information Integrity

CMMC Level


800-171 Control #


CMMC Description

Monitor system security alerts and advisories and take action in response.

CMMC Clarification

Organizations should receive security alerts, advisories, and directives from reputable external organizations. You base identification of these organizations on sector, industry, and the technology you use. There are many ways to received alerts and advisories and may include: * signing up for email distributions * subscribing to RSS feeds * attending meetings. Organizations should review alerts and advisories for applicability as they receive them. An organization decides on its own review cycle. The more frequent the alerts and advisories, the more frequent the reviews. This ensures that the organization has the most up-to-date information. External alerts and advisories may prompt an organization to generate internal security alerts, advisories, or directives. Share these with all personnel with a need-to-know. The individuals should take action to respond to the alerts. Actions vary according to the alert or advisory. Sometimes it may require a system configuration update. Other times, the organization may use the information for situational awareness purposes. Example One of your IT responsibilities is to protect your organization’s computers. As part of your job you decide you need to pay attention to security alerts and advisories to keep aware of the latest threats and risks. You decide to receive alerts from US-CERT and a set of ISACs. You review the alerts on a weekly basis to determine if they are relevant to your organization. When you identify one you follow your plan to correct information system flaws in a timely manner, such as installing a patch.

800-171 Description

Monitor system security alerts and advisories and take action in response.

800-171 Discussion

There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations[SP 800-161] provides guidance on supply chain risk management.

Other Source Discussion


CIS Control References

CIS Controls v7.1 6.5, 6.6

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SI-5

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.14.3

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

SI.2.214.[a] response actions to system security alerts and advisories are identified;

Assessment Sub-Criteria 2

SI.2.214.[b] system security alerts and advisories are monitored; and

Assessment Sub-Criteria 3

SI.2.214.[c] actions in response to system security alerts and advisories are taken.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15