CMMC SI.2.214 - Monitor Security Alert and Respond

CMMC SI.2.214 - Monitor Security Alert and Respond

Requirement text: SI.2.214: Monitor system security alerts and advisories and take action in response.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
There are many publicly available sources of system security alerts and advisories. The
United States Computer Emergency Readiness Team (US-CERT) generates security alerts
and advisories to maintain situational awareness across the federal government and in
nonfederal organizations. Software vendors, subscription services, and relevant industry
information sharing and analysis centers (ISACs) may also provide security alerts and
advisories. Examples of response actions include notifying relevant external organizations,
for example, external mission/business partners, supply chain partners, external service
providers, and peer or supporting organizations.

NIST SP 800-161 provides guidance on supply chain risk management.

CMMC CLARIFICATION
Organizations should receive security alerts, advisories, and directives from reputable
external organizations. You base identification of these organizations on sector, industry,
and the technology you use. There are many ways to received alerts and advisories and may
include:
      • signing up for email distributions;
      • subscribing to RSS feeds; and
      • attending meetings.

Organizations should review alerts and advisories for applicability as they receive them. An
organization decides on its own review cycle. The more frequent the alerts and advisories,
the more frequent the reviews. This ensures that the organization has the most up-to-date
information.

External alerts and advisories may prompt an organization to generate internal security
alerts, advisories, or directives. Share these with all personnel with a need-to-know. The
individuals should take action to respond to the alerts. Actions vary according to the alert
or advisory. Sometimes it may require a system configuration update. Other times, the
organization may use the information for situational awareness purposes.

Example
One of your IT responsibilities is to protect your organization’s computers. As part of your
job you decide you need to pay attention to security alerts and advisories to keep aware of
the latest threats and risks. You decide to receive alerts from US-CERT and a set of ISACs. You
review the alerts on a weekly basis to determine if they are relevant to your organization.
When you identify one you follow your plan to correct information system flaws in a timely
manner, such as installing a patch.

References
• NIST SP 800-171 Rev 1 3.14.3
• CIS Controls v7.1 6.5, 6.6
• NIST CSF v1.1 RS.AN-5
• CERT RMM v1.2 IMC:SG2.SP1
• NIST SP 800-53 Rev 4 SI-5

    • Related Articles

    • CMMC SI.2.216 - Monitor Systems Communications Traffic

      Requirement text: SI.2.216: Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 System monitoring includes ...

    • Security Assessment: SP 800-171 Security Family 3.12

      A security requirement assessment is the testing and/or evaluation of the management, operational, and technical security requirements on a system to determine the extent to which the requirements are implemented correctly, operating as intended, and ...

    • System and Information Integrity: SP 800-171 Security Family 3.14

      Integrity is defined as guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. It is the assertion that data can only be accessed or modified by the authorized employees. ...

    • CMMC SI.5.223 - Monitor Individual and Systems for Anomalous Behavior

      Requirement text: SI.5.223: Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B Monitoring is used to identify unusual or unauthorized activities or ...

    • CMMC AU.3.046 - Alert Logging Failures

      Requirement text: AU.3.046: Alert in the event of an audit logging process failure. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Audit logging process failures include software and hardware errors, failures in the audit record capturing ...