Requirement text: SI.5.223: Monitor individuals and system components on an ongoing basis for
anomalous or suspicious behavior.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B
Monitoring is used to identify unusual or unauthorized activities or conditions related to
individual users and system components, for example, unusual internal systems
communications traffic; unauthorized exporting of information; signaling to external
systems; large file transfers; long-time persistent connections; attempts to access
information from unexpected locations; unusual protocols and ports in use; and attempted
communications with suspected malicious external addresses
The correlation of physical audit record information and the audit records from systems may
assist organizations in identifying examples of anomalous behavior. For example, the
correlation of an individual’s identity for logical access to certain systems with the additional
information that the individual was not present at the facility when the logical access
occurred, is indicative of anomalous behavior. Indications of increased risk from individuals
can be obtained from many sources including human resource records, intelligence agencies,
law enforcement organizations, and other sources. The monitoring of specific individuals is
closely coordinated with management, legal, security, privacy, and human resource officials
in organizations conducting such monitoring, and in certain circumstances requires the prior
authorization by a specified senior organizational official.
CMMC CLARIFICATION
Monitoring for anomalous or suspicious behavior can be done with signatures, statistical
analysis, analytics or machine learning on user activity events. The analysis seeks to find
patterns amongst data generated by user activity. This is different than traditional security
applications that analyze events. This class of analysis is typically called User and Entity
Behavior Analytics (UEBA).
Example
You are working the night shift in the Security Operations Center (SOC). You notice alerts
related to someone from accounting. That person doesn’t use their computer at this time of
night so the monitoring system has identified anomalous activity. The algorithms identify
activity outside business hours and an excessive data upload from a key server on the
network using that account. You initiate an investigation to determine the source and risk
from the data exfiltration.
ADDITIONAL READING
Ten Strategies of a World-class Cybersecurity Operations Center:
SANS Common and Best Practices for Security Operations Centers: Results of the 2019 SOC
References
• Draft NIST SP 800-171B 3.14.2e
• CIS Controls v7.1 13.3, 16.12, 16.13
• NIST CSF v1.1 DE.CM-1, DE.CM-3
• CERT RMM v1.2 MON:SG1.SP3
• NIST SP 800-53 Rev 4 SI-4