Skip to main content

💼 CA-7 Continuous Monitoring

  • ID: /frameworks/nist-sp-800-53-r5/ca/07

Description

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

Similar

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/api-gateway/01
    • /frameworks/aws-fsbp-v1.0.0/api-gateway/03
    • /frameworks/aws-fsbp-v1.0.0/api-gateway/09
    • /frameworks/aws-fsbp-v1.0.0/auto-scaling/01
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/05
    • /frameworks/aws-fsbp-v1.0.0/cloudtrail/01
    • /frameworks/aws-fsbp-v1.0.0/cloudtrail/05
    • /frameworks/aws-fsbp-v1.0.0/codebuild/04
    • /frameworks/aws-fsbp-v1.0.0/dms/07
    • /frameworks/aws-fsbp-v1.0.0/dms/08
    • /frameworks/aws-fsbp-v1.0.0/documentdb/04
    • /frameworks/aws-fsbp-v1.0.0/ec2/06
    • /frameworks/aws-fsbp-v1.0.0/ec2/51
    • /frameworks/aws-fsbp-v1.0.0/ecs/09
    • /frameworks/aws-fsbp-v1.0.0/ecs/12
    • /frameworks/aws-fsbp-v1.0.0/eks/08
    • /frameworks/aws-fsbp-v1.0.0/elastic-beanstalk/01
    • /frameworks/aws-fsbp-v1.0.0/elb/05
    • /frameworks/aws-fsbp-v1.0.0/es/04
    • /frameworks/aws-fsbp-v1.0.0/es/05
    • /frameworks/aws-fsbp-v1.0.0/guardduty/01
    • /frameworks/aws-fsbp-v1.0.0/macie/01
    • /frameworks/aws-fsbp-v1.0.0/macie/02
    • /frameworks/aws-fsbp-v1.0.0/neptune/02
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/02
    • /frameworks/aws-fsbp-v1.0.0/opensearch/04
    • /frameworks/aws-fsbp-v1.0.0/opensearch/05
    • /frameworks/aws-fsbp-v1.0.0/route-53/02
    • /frameworks/aws-fsbp-v1.0.0/rds/06
    • /frameworks/aws-fsbp-v1.0.0/rds/09
    • /frameworks/aws-fsbp-v1.0.0/rds/19
    • /frameworks/aws-fsbp-v1.0.0/rds/20
    • /frameworks/aws-fsbp-v1.0.0/rds/21
    • /frameworks/aws-fsbp-v1.0.0/rds/22
    • /frameworks/aws-fsbp-v1.0.0/rds/34
    • /frameworks/aws-fsbp-v1.0.0/rds/40
    • /frameworks/aws-fsbp-v1.0.0/redshift/04
    • /frameworks/aws-fsbp-v1.0.0/s3/09
    • /frameworks/aws-fsbp-v1.0.0/transfer-family/03
    • /frameworks/aws-fsbp-v1.0.0/waf/01
    • /frameworks/aws-fsbp-v1.0.0/waf/12
  • Internal
    • ID: dec-c-0025b507

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.9] Access logging should be configured for API Gateway V2 Stages11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudFront.5] CloudFront distributions should have logging enabled11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CodeBuild.4] CodeBuild project environments should have a logging AWS Configurationno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.7] DMS replication tasks for the target database should have logging enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.8] DMS replication tasks for the source database should have logging enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.6] VPC flow logging should be enabled in all VPCs11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.51] EC2 Client VPN endpoints should have client connection logging enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.9] ECS task definitions should have a logging configuration1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.12] ECS clusters should use Container Insightsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EKS.8] EKS clusters should have audit logging enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.5] Application and Classic Load Balancers logging should be enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.5] Elasticsearch domains should have audit logging enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [GuardDuty.1] GuardDuty should be enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Macie.1] Amazon Macie should be enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Macie.2] Macie automated sensitive data discovery should be enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.2] Network Firewall logging should be enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.5] OpenSearch domains should have audit logging enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.6] Enhanced monitoring should be configured for RDS DB instancesno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.9] RDS DB instances should publish logs to CloudWatch Logsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.22] An RDS event notifications subscription should be configured for critical database security group events1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logsno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.4] Amazon Redshift clusters should have audit logging enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Route53.2] Route 53 public hosted zones should log DNS queriesno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.9] S3 general purpose buckets should have server access logging enabled12no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Transfer.3] Transfer Family connectors should have logging enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.1] AWS WAF Classic Global Web ACL logging should be enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.12] AWS WAF rules should have CloudWatch metrics enabledno data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)222no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)122no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities45no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources60no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events170no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events22no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events95no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events45no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events170no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations37no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties51no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities52no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded41no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked41no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CA-7(1) Continuous Monitoring _ Independent Assessmentno data
💼 CA-7(2) Continuous Monitoring _ Types of Assessmentsno data
💼 CA-7(3) Continuous Monitoring _ Trend Analysesno data
💼 CA-7(4) Continuous Monitoring _ Risk Monitoringno data
💼 CA-7(5) Continuous Monitoring _ Consistency Analysisno data
💼 CA-7(6) Continuous Monitoring _ Automation Support for Monitoringno data

Policies (22)

PolicyLogic CountFlagsCompliance
🛡️ AWS Account Multi-Region CloudTrail is not enabled🟢1🟢 x6no data
🛡️ AWS API Gateway API Access Logging in CloudWatch is not enabled🟢1🟠 x1, 🟢 x5no data
🛡️ AWS API Gateway API Execution Logging in CloudWatch is not enabled🟢1🟢 x6no data
🛡️ AWS API Gateway REST API Stage X-Ray Tracing is not enabled🟢1🟢 x6no data
🛡️ AWS CloudFront Distribution Logging is not enabled🟢1🟢 x6no data
🛡️ AWS CloudTrail S3 Bucket Access Logging is not enabled.🟢1🟢 x6no data
🛡️ AWS CloudWatch Metric Alarm does not have any actions configured🟢1🟢 x6no data
🛡️ AWS DMS Migration Task Logging is not enabled🟢1🟢 x6no data
🛡️ AWS EC2 Auto Scaling Group behind ELB doesn't use ELB health check🟢1🟢 x6no data
🛡️ AWS ECS Task Definition logging is not configured🟢1🟢 x6no data
🛡️ AWS EKS Cluster Logging is not enabled for all control plane logs types🟢1🟢 x6no data
🛡️ AWS Elastic Beanstalk Environment does not have enhanced health reporting enabled🟢1🟢 x6no data
🛡️ AWS ELB Load Balancer Access Logging is disabled🟢1🟢 x6no data
🛡️ AWS GuardDuty is not enabled in all regions🟢1🟢 x6no data
🛡️ AWS OpenSearch Domain audit logging is not enabled🟢1🟢 x6no data
🛡️ AWS OpenSearch Domain error logging is not enabled🟢1🟢 x6no data
🛡️ AWS RDS Cluster Event Subscription for critical events is not configured🟢1🟢 x6no data
🛡️ AWS RDS Instance Event Subscription for critical events is not configured🟢1🟢 x6no data
🛡️ AWS RDS Parameter Group Event Subscription for critical events is not configured🟢1🟢 x6no data
🛡️ AWS RDS Security Group Event Subscription for critical events is not configured🟢1🟢 x6no data
🛡️ AWS S3 Bucket Server Access Logging is not enabled🟢1🟢 x6no data
🛡️ AWS VPC Flow Logs are not enabled🟢1🟠 x1, 🟢 x5no data