Skip to main content

💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events

  • ID: /frameworks/nist-csf-v2.0/de-cm/01

Description

  1. Monitor DNS, BGP, and other network services for adverse events
  2. Monitor wired and wireless networks for connections from unauthorized endpoints
  3. Monitor facilities for unauthorized or rogue wireless networks
  4. Compare actual network flows against baselines to detect deviations
  5. Monitor network communications to identify changes in security postures for zero trust purposes

Similar

  • Sections
    • /frameworks/nist-csf-v1.1/de-cm/01
    • /frameworks/nist-csf-v1.1/de-cm/04
    • /frameworks/nist-csf-v1.1/de-cm/05
    • /frameworks/nist-csf-v1.1/de-cm/07
    • /frameworks/nist-sp-800-53-r5/ac/02
    • /frameworks/nist-sp-800-53-r5/au/12
    • /frameworks/nist-sp-800-53-r5/ca/07
    • /frameworks/nist-sp-800-53-r5/cm/03
    • /frameworks/nist-sp-800-53-r5/sc/05
    • /frameworks/nist-sp-800-53-r5/sc/07
    • /frameworks/nist-sp-800-53-r5/si/04

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
💼 NIST CSF v1.1 → 💼 DE.CM-4: Malicious code is detected77no data
💼 NIST CSF v1.1 → 💼 DE.CM-5: Unauthorized mobile code is detected1112no data
💼 NIST CSF v1.1 → 💼 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1824no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management132037no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation44765no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring613no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control81725no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5 Denial-of-service Protection312no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection29452no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4 System Monitoring25110no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance

Policies (145)

PolicyLogic CountFlagsCompliance
🛡️ AWS Account Config is not enabled in all regions🟢1🟢 x6no data
🛡️ AWS Account IAM Access Analyzer is not enabled for all regions🟢1🟢 x6no data
🛡️ AWS Account Multi-Region CloudTrail is not enabled🟢1🟢 x6no data
🛡️ AWS API Gateway API Access Logging in CloudWatch is not enabled🟢1🟠 x1, 🟢 x5no data
🛡️ AWS API Gateway API Execution Logging in CloudWatch is not enabled🟢1🟢 x6no data
🛡️ AWS API Gateway REST API Stage X-Ray Tracing is not enabled🟢1🟢 x6no data
🛡️ AWS CloudFront Distribution Logging is not enabled🟢1🟢 x6no data
🛡️ AWS CloudTrail AWS Organizations Changes Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail Config Configuration Changes Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail Configuration Changes Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail Disable CMK or Schedule CMK Deletion Events Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail IAM Policy Changes Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail Log File Validation is not enabled🟢1🟢 x6no data
🛡️ AWS CloudTrail Management Console Authentication Failures Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail Management Console Sign-In without MFA Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail Network Access Control Lists Changes Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail Network Gateways Changes Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail Root Account Usage Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail Route Table Changes Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail S3 Bucket Access Logging is not enabled.🟢1🟢 x6no data
🛡️ AWS CloudTrail S3 Bucket Policy Changes Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail Security Group Changes Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail Unauthorized API Calls Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudTrail VPC Changes Monitoring is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS CloudWatch Metric Alarm does not have any actions configured🟢1🟢 x6no data
🛡️ AWS DMS Migration Task Logging is not enabled🟢1🟢 x6no data
🛡️ AWS DMS Replication Instance Auto Minor Version Upgrade is not enabled🟢1🟢 x6no data
🛡️ AWS DMS Replication Instance is publicly accessible🟢1🟢 x6no data
🛡️ AWS EBS Snapshot is publicly accessible🟢1🟢 x6no data
🛡️ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances🟢1🟢 x6no data
🛡️ AWS EC2 Auto Scaling Group behind ELB doesn't use ELB health check🟢1🟢 x6no data
🛡️ AWS EC2 Default Security Group does not restrict all traffic🟢1🟢 x6no data
🛡️ AWS EC2 Instance with an auto-assigned public IP address is in a default subnet🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MongoDB🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted Telnet traffic🟢1🟢 x6no data
🛡️ AWS EKS Cluster Logging is not enabled for all control plane logs types🟢1🟢 x6no data
🛡️ AWS Elastic Beanstalk Environment does not have enhanced health reporting enabled🟢1🟢 x6no data
🛡️ AWS GuardDuty is not enabled in all regions🟢1🟢 x6no data
🛡️ AWS IAM Policy allows full administrative privileges🟢1🟢 x6no data
🛡️ AWS IAM User has inline or directly attached policies🟢1🟠 x1, 🟢 x5no data
🛡️ AWS IAM User with credentials unused for 45 days or more is not disabled🟢1🟢 x6no data
🛡️ AWS RDS Instance Auto Minor Version Upgrade is not enabled🟠🟢1🟠 x1, 🟢 x6no data
🛡️ AWS RDS Instance is publicly accessible and in an unrestricted public subnet🟢1🟢 x6no data
🛡️ AWS RDS Instance uses default endpoint port🟢1🟢 x6no data
🛡️ AWS RDS Snapshot is publicly accessible🟢1🟢 x6no data
🛡️ AWS S3 Bucket is not configured to block public access🟢1🟢 x6no data
🛡️ AWS S3 Bucket Policy is not set to deny HTTP requests🟢1🟢 x6no data
🛡️ AWS S3 Bucket Server Access Logging is not enabled🟢1🟢 x6no data
🛡️ AWS Security Hub is not enabled🟢1🟢 x6no data
🛡️ AWS VPC Flow Logs are not enabled🟢1🟠 x1, 🟢 x5no data
🛡️ AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service🟢1🟢 x6no data
🛡️ AWS VPC Network ACL exposes admin ports to public internet ports🟢1🟢 x6no data
🛡️ AWS VPC Subnet Map Public IP On Launch is enabled🟢1🟢 x6no data
🛡️ AWS WAF Rule Group has no WAF Rules🟢1🟠 x1, 🟢 x5no data
🛡️ AWS WAF Web ACL has no WAF Rules or WAF Rule Groups🟢1🟠 x1, 🟢 x5no data
🛡️ Azure App Service does not run the latest Java version🟢⚪🟢 x2, ⚪ x1no data
🛡️ Azure App Service does not run the latest PHP version🟢⚪🟢 x2, ⚪ x1no data
🛡️ Azure App Service does not run the latest Python version🟢⚪🟢 x2, ⚪ x1no data
🛡️ Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories🟢1🟢 x6no data
🛡️ Azure Diagnostic Setting for Azure Key Vault is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ Azure Network Security Group Flow Logs retention period is less than 90 days🟢1🟢 x6no data
🛡️ Azure PostgreSQL Flexible Server connection_throttle.enable Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days🟢1🟢 x6no data
🛡️ Azure PostgreSQL Single Server log_connections Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure SQL Server Auditing is not enabled🟢1🟢 x6no data
🛡️ Azure SQL Server Auditing Retention is less than 90 days🟢1🟢 x6no data
🛡️ Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests🟢1🟢 x6no data
🛡️ Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests🟢1🟢 x6no data
🛡️ Azure Subscription Activity Log Alert for Create or Update Network Security Group does not exist🟢1🟢 x6no data
🛡️ Azure Subscription Activity Log Alert for Create or Update Security Solution does not exist🟢1🟢 x6no data
🛡️ Azure Subscription Activity Log Alert for Create or Update SQL Server Firewall Rule does not exist🟢1🟢 x6no data
🛡️ Azure Subscription Activity Log Alert for Create Policy Assignment does not exist🟢1🟢 x6no data
🛡️ Azure Subscription Activity Log Alert for Delete Network Security Group does not exist🟢1🟢 x6no data
🛡️ Azure Subscription Activity Log Alert for Delete Policy Assignment does not exist🟢1🟢 x6no data
🛡️ Azure Subscription Activity Log Alert for Delete Security Solution does not exist🟢1🟢 x6no data
🛡️ Azure Subscription Activity Log Alert for Delete SQL Server Firewall Rule does not exist🟢1🟢 x6no data
🛡️ Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On🟢1🟢 x6no data
🛡️ Azure Subscription Microsoft Defender For App Services is not set to On🟢1🟢 x6no data
🛡️ Azure Subscription Microsoft Defender For Containers is not set to On🟢1🟢 x6no data
🛡️ Azure Subscription Microsoft Defender For Key Vault is not set to On🟢1🟢 x6no data
🛡️ Azure Subscription Microsoft Defender For Servers is not set to On🟢1🟢 x6no data
🛡️ Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On🟢1🟢 x6no data
🛡️ Azure Subscription Microsoft Defender For Storage is not set to On🟢1🟢 x6no data
🛡️ Azure Subscription Security Alert Notifications additional email address is not configured🟢1🟢 x6no data
🛡️ Azure Subscription Security Alert Notifications for alerts with High or Critical severity are not configured🟢1🟢 x6no data
🛡️ Azure Subscription Security Alert Notifications to subscription owners are not configured🟢1🟢 x6no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Cloud Audit Logging is not configured properly🟢1🟢 x6no data
🛡️ Google Cloud PostgreSQL Instance Log_error_verbosity Database Flag is not set to DEFAULT or stricter🟢1🟢 x6no data
🛡️ Google Cloud PostgreSQL Instance Log_connections Database Flag is not set to On🟢1🟢 x6no data
🛡️ Google Cloud PostgreSQL Instance Log_disconnections Database Flag is not set to On🟢1🟢 x6no data
🛡️ Google Cloud PostgreSQL Instance Log_min_error_statement Database Flag is not set to Error or stricter🟢1🟢 x6no data
🛡️ Google Cloud PostgreSQL Instance Log_min_messages Database Flag is not set at minimum to Warning🟢1🟢 x6no data
🛡️ Google Cloud PostgreSQL Instance Log_statement Database Flag is not set appropriately🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢1🟢 x6no data
🛡️ Google GCE Firewall Rule logging is disabled🟢1🟢 x6no data
🛡️ Google GCE Instance has a public IP address🟢1🟢 x6no data
🛡️ Google GCE Instance IP Forwarding is not disabled.🟢1🟢 x6no data
🛡️ Google GCE Instance OS Login is not enabled🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted CiscoSecure/WebSM traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted DNS traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted FTP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted HTTP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted LDAP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted NetBIOS traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted POP3 traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted SMTP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted SSH traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Cassandra🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Directory services"🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Elasticsearch🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Memcached🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to MongoDB🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to MySQL🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to OracleDB🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to PostgreSQL🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Redis🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted Telnet traffic🟢1🟢 x6no data
🛡️ Google GCE Subnetwork Flow Logs are not enabled🟢1🟢 x6no data
🛡️ Google GKE Cluster Network policy is disabled.🟢1🟢 x6no data
🛡️ Google GKE Cluster Node Pool uses default Service account🟢1🟢 x6no data
🛡️ Google HTTP(S) Load Balancer Logging is not enabled🟢1🟢 x6no data
🛡️ Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites🟢⚪🟢 x2, ⚪ x1no data
🛡️ Google Logging Log Metric Filter and Alerts for Audit Configuration Changes do not exist🟢1🟢 x6no data
🛡️ Google Logging Log Metric Filter and Alerts for Custom Role Changes do not exist🟢1🟢 x6no data
🛡️ Google Logging Log Metric Filter and Alerts for Project Ownership Assignments Changes do not exist🟢1🟢 x6no data
🛡️ Google Logging Log Metric Filter and Alerts for SQL Instance Configuration Changes do not exist🟢1🟢 x6no data
🛡️ Google Logging Log Metric Filter and Alerts for VPC Network Changes do not exist🟢1🟢 x6no data
🛡️ Google Logging Log Metric Filter and Alerts for VPC Network Firewall Rule Changes do not exist🟢1🟢 x6no data
🛡️ Google Logging Log Metric Filter and Alerts for VPC Network Route Changes do not exist🟢1🟢 x6no data
🛡️ Google Logging Log Sink for All Log Entries is not configured🟢1🟢 x6no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢1🟢 x6no data