Back to Control Explorer



Control Acronym



System And Information Integrity

CMMC Level


800-171 Control #


CMMC Description

Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.

CMMC Clarification

Monitoring for anomalous or suspicious behavior can be done with signatures, statistical analysis, analytics or machine learning on user activity events. The analysis seeks to find patterns amongst data generated by user activity. This is different than traditional security applications that analyze events. This class of analysis is typically called User and Entity Behavior Analytics (UEBA). Example You are working the night shift in the Security Operations Center (SOC). You notice alerts related to someone from accounting. That person doesn’t use their computer at this time of night so the monitoring system has identified anomalous activity. The algorithms identify activity outside business hours and an excessive data upload from a key server on the network using that account. You initiate an investigation to determine the source and risk from the data exfiltration.

800-171 Description

800-171 Discussion


Other Source Discussion

DRAFT NIST SP 800-171B Monitoring is used to identify unusual or unauthorized activities or conditions related to individual users and system components, for example, unusual internal systems communications traffic; unauthorized exporting of information; signaling to external systems; large file transfers; long-time persistent connections; attempts to access information from unexpected locations; unusual protocols and ports in use; and attempted communications with suspected malicious external addresses The correlation of physical audit record information and the audit records from systems may assist organizations in identifying examples of anomalous behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional information that the individual was not present at the facility when the logical access occurred, is indicative of anomalous behavior. Indications of increased risk from individuals can be obtained from many sources including human resource records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of specific individuals is closely coordinated with management, legal, security, privacy, and human resource officials in organizations conducting such monitoring, and in certain circumstances requires the prior authorization by a specified senior organizational official.

CIS Control References

CIS Controls v7.1 13.3, 16.12, 16.13

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SI-4

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 DE.CM-1, DE.CM-3

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

Draft NIST SP 800-171B 3.14.2e

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15