Skip to main content

πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events

  • Contextual name: πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events
  • ID: /frameworks/nist-csf-v2.0/de-cm/01
  • Located in: πŸ’Ό Continuous Monitoring (DE.CM)

Description​

  1. Monitor DNS, BGP, and other network services for adverse events
  2. Monitor wired and wireless networks for connections from unauthorized endpoints
  3. Monitor facilities for unauthorized or rogue wireless networks
  4. Compare actual network flows against baselines to detect deviations
  5. Monitor network communications to identify changes in security postures for zero trust purposes

Similar​

  • Sections
    • /frameworks/nist-csf-v1.1/de-cm/01
    • /frameworks/nist-csf-v1.1/de-cm/04
    • /frameworks/nist-csf-v1.1/de-cm/05
    • /frameworks/nist-csf-v1.1/de-cm/07
    • /frameworks/nist-sp-800-53-r5/ac/02
    • /frameworks/nist-sp-800-53-r5/au/12
    • /frameworks/nist-sp-800-53-r5/ca/07
    • /frameworks/nist-sp-800-53-r5/cm/03
    • /frameworks/nist-sp-800-53-r5/sc/05
    • /frameworks/nist-sp-800-53-r5/sc/07
    • /frameworks/nist-sp-800-53-r5/si/04

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1841
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-4: Malicious code is detected77
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-5: Unauthorized mobile code is detected1111
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1823
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2 Account Management132034
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44765
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-7 Continuous Monitoring610
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81725
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5 Denial-of-service Protection34
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7 Boundary Protection29447
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-4 System Monitoring2518

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags

Policies (115)​

PolicyLogic CountFlags
πŸ“ AWS Account Config is not enabled in all regions 🟒1🟒 x6
πŸ“ AWS Account IAM Access Analyzer is not enabled for all regions 🟒1🟒 x6
πŸ“ AWS Account Multi-Region CloudTrail is not enabled 🟒1🟒 x6
πŸ“ AWS Account Security Hub is not enabled 🟒1🟠 x1, 🟒 x5
πŸ“ AWS API Gateway API Access Logging in CloudWatch is not enabled 🟒1🟠 x1, 🟒 x5
πŸ“ AWS API Gateway API Execution Logging in CloudWatch is not enabled 🟒1🟒 x6
πŸ“ AWS API Gateway REST API Stage X-Ray Tracing is not enabled 🟒1🟒 x6
πŸ“ AWS CloudFront Distribution Logging is not enabled 🟒1🟒 x6
πŸ“ AWS CloudTrail AWS Organizations Changes Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail Config Configuration Changes Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail Configuration Changes Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail Disable CMK or Schedule CMK Deletion Events Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail IAM Policy Changes Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail Log File Validation is not enabled 🟒1🟒 x6
πŸ“ AWS CloudTrail Management Console Authentication Failures Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail Management Console Sign-In without MFA Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail Network Access Control Lists Changes Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail Network Gateways Changes Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail Root Account Usage Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail Route Table Changes Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail S3 Bucket Access Logging is not enabled. 🟒1🟒 x6
πŸ“ AWS CloudTrail S3 Bucket Policy Changes Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail Security Group Changes Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail Unauthorized API Calls Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS CloudTrail VPC Changes Monitoring is not enabled 🟒🟒 x3
πŸ“ AWS DMS Migration Task Logging is not enabled 🟒1🟒 x6
πŸ“ AWS DMS Replication Instance Auto Minor Version Upgrade is not enabled 🟒1🟒 x6
πŸ“ AWS DMS Replication Instance is publicly accessible 🟒1🟒 x6
πŸ“ AWS EBS Snapshot is publicly accessible 🟒1🟒 x6
πŸ“ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances 🟒1🟒 x6
πŸ“ AWS EC2 Auto Scaling Group behind ELB doesn't use ELB health check 🟒1🟒 x6
πŸ“ AWS EC2 Default Security Group does not restrict all traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted CIFS traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted FTP traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted RPC traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted SMTP traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to MongoDB 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to MySQL 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted Telnet traffic 🟒1🟒 x6
πŸ“ AWS EKS Cluster Logging is not enabled for all control plane logs types 🟒1🟒 x6
πŸ“ AWS IAM Policy allows full administrative privileges 🟒1🟒 x6
πŸ“ AWS IAM User has inline or directly attached policies 🟒1🟠 x1, 🟒 x5
πŸ“ AWS IAM User with credentials unused for 45 days or more is not disabled 🟒1🟒 x6
πŸ“ AWS RDS Instance Auto Minor Version Upgrade is not enabled 🟠🟒1🟠 x1, 🟒 x6
πŸ“ AWS RDS Instance is publicly accessible and in an unrestricted public subnet 🟒1🟒 x6
πŸ“ AWS RDS Instance uses default endpoint port 🟒1🟒 x6
πŸ“ AWS RDS Snapshot is publicly accessible 🟒1🟒 x6
πŸ“ AWS S3 Bucket is not configured to block public access 🟒1🟒 x6
πŸ“ AWS S3 Bucket Policy is not set to deny HTTP requests 🟒1🟒 x6
πŸ“ AWS S3 Bucket Server Access Logging is not enabled 🟒1🟒 x6
πŸ“ AWS VPC Flow Logs are not enabled 🟒1🟠 x1, 🟒 x5
πŸ“ AWS VPC Network ACL exposes admin ports to public internet ports 🟒1🟒 x6
πŸ“ Azure App Service does not run the latest Java version 🟒🟒 x3
πŸ“ Azure App Service does not run the latest PHP version 🟒🟒 x3
πŸ“ Azure App Service does not run the latest Python version 🟒🟒 x3
πŸ“ Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories 🟒1🟒 x6
πŸ“ Azure Diagnostic Setting for Azure Key Vault is not enabled 🟒🟒 x3
πŸ“ Azure Network Security Group Flow Logs retention period is less than 90 days 🟒1🟒 x6
πŸ“ Azure PostgreSQL Flexible Server connection_throttle.enable Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days 🟒1🟒 x6
πŸ“ Azure PostgreSQL Single Server log_connections Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure SQL Server Auditing is not enabled 🟒1🟒 x6
πŸ“ Azure SQL Server Auditing Retention is less than 90 days 🟒1🟒 x6
πŸ“ Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests 🟒1🟒 x6
πŸ“ Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Create or Update Network Security Group does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Create or Update Security Solution does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Create or Update SQL Server Firewall Rule does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Create Policy Assignment does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Delete Network Security Group does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Delete Policy Assignment does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Delete Security Solution does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Activity Log Alert for Delete SQL Server Firewall Rule does not exist 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For (Managed Instance) Azure SQL Databases is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For App Services is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For Containers is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For Key Vault is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For Servers is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For SQL Servers On Machines is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Microsoft Defender For Storage is not set to On 🟒1🟒 x6
πŸ“ Azure Subscription Security Alert Notifications additional email address is not configured 🟒1🟒 x6
πŸ“ Azure Subscription Security Alert Notifications for alerts with High or Critical severity are not configured 🟒1🟒 x6
πŸ“ Azure Subscription Security Alert Notifications to subscription owners are not configured 🟒1🟒 x6
πŸ“ Google BigQuery Dataset is anonymously or publicly accessible 🟒1🟒 x6
πŸ“ Google Cloud Audit Logging is not configured properly 🟒1🟒 x6
πŸ“ Google Cloud PostgreSQL Instance Log_error_verbosity Database Flag is not set to DEFAULT or stricter 🟒1🟒 x6
πŸ“ Google Cloud PostgreSQL Instance Log_connections Database Flag is not set to On 🟒1🟒 x6
πŸ“ Google Cloud PostgreSQL Instance Log_disconnections Database Flag is not set to On 🟒1🟒 x6
πŸ“ Google Cloud PostgreSQL Instance Log_min_error_statement Database Flag is not set to Error or stricter 🟒1🟒 x6
πŸ“ Google Cloud PostgreSQL Instance Log_min_messages Database Flag is not set at minimum to Warning 🟒1🟒 x6
πŸ“ Google Cloud PostgreSQL Instance Log_statement Database Flag is not set appropriately 🟒1🟒 x6
πŸ“ Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟒1🟒 x6
πŸ“ Google GCE Instance has a public IP address 🟒1🟒 x6
πŸ“ Google GCE Instance IP Forwarding is not disabled. 🟒1🟒 x6
πŸ“ Google GCE Instance OS Login is not enabled 🟒1🟒 x6
πŸ“ Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet 🟒1🟒 x6
πŸ“ Google GCE Subnetwork Flow Logs are not enabled 🟒1🟒 x6
πŸ“ Google HTTP(S) Load Balancer Logging is not enabled 🟒1🟒 x6
πŸ“ Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites 🟒🟒 x3
πŸ“ Google Logging Log Metric Filter and Alerts for Audit Configuration Changes do not exist 🟒1🟒 x6
πŸ“ Google Logging Log Metric Filter and Alerts for Custom Role Changes do not exist 🟒1🟒 x6
πŸ“ Google Logging Log Metric Filter and Alerts for Project Ownership Assignments Changes do not exist 🟒1🟒 x6
πŸ“ Google Logging Log Metric Filter and Alerts for SQL Instance Configuration Changes do not exist 🟒1🟒 x6
πŸ“ Google Logging Log Metric Filter and Alerts for VPC Network Changes do not exist 🟒1🟒 x6
πŸ“ Google Logging Log Metric Filter and Alerts for VPC Network Firewall Rule Changes do not exist 🟒1🟒 x6
πŸ“ Google Logging Log Metric Filter and Alerts for VPC Network Route Changes do not exist 🟒1🟒 x6
πŸ“ Google Logging Log Sink for All Log Entries is not configured 🟒1🟒 x6
πŸ“ Google Storage Bucket is anonymously or publicly accessible 🟒1🟒 x6