Back to Control Explorer
SI.5.223
Content
Control Acronym
SI
Family
System And Information Integrity
CMMC Level
5
800-171 Control #
N/A
CMMC Description
Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.
CMMC Clarification
Monitoring for anomalous or suspicious behavior can be done with signatures, statistical analysis, analytics or machine learning on user activity events. The analysis seeks to find patterns amongst data generated by user activity. This is different than traditional security applications that analyze events. This class of analysis is typically called User and Entity Behavior Analytics (UEBA). Example You are working the night shift in the Security Operations Center (SOC). You notice alerts related to someone from accounting. That person doesn’t use their computer at this time of night so the monitoring system has identified anomalous activity. The algorithms identify activity outside business hours and an excessive data upload from a key server on the network using that account. You initiate an investigation to determine the source and risk from the data exfiltration.
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
DRAFT NIST SP 800-171B Monitoring is used to identify unusual or unauthorized activities or conditions related to individual users and system components, for example, unusual internal systems communications traffic; unauthorized exporting of information; signaling to external systems; large file transfers; long-time persistent connections; attempts to access information from unexpected locations; unusual protocols and ports in use; and attempted communications with suspected malicious external addresses The correlation of physical audit record information and the audit records from systems may assist organizations in identifying examples of anomalous behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional information that the individual was not present at the facility when the logical access occurred, is indicative of anomalous behavior. Indications of increased risk from individuals can be obtained from many sources including human resource records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of specific individuals is closely coordinated with management, legal, security, privacy, and human resource officials in organizations conducting such monitoring, and in certain circumstances requires the prior authorization by a specified senior organizational official.
CIS Control References
CIS Controls v7.1 13.3, 16.12, 16.13
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 SI-4
CMMC Derived
NIST CSF Control References
NIST 800-171 References
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 DE.CM-1, DE.CM-3
CERT RMM Reference
CERT RMM v1.2 MON:SG1.SP3
Modification of NIST 800-171B Reference
NIST 800-171B Reference
Draft NIST SP 800-171B 3.14.2e