Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings].
NIST 800-53 (r4) Supplemental Guidance:
Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing. Related controls: IR-4, SI-7.
NIST 800-53 (r5) Discussion:
Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or—in extreme cases—halting affected system processing.
38North Guidance:
Meets Minimum Requirement:
Employ integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated integrity verification tools (e.g., Tripwire, Wazuh, Tanium, etc.) to detect and respond to unauthorized changes to system software, firmware, and information.
Best Practice:
Configure the generation and forwarding of audit logs to a centrally-managed Security Information and Event Management (SIEM) tool. Configure the SIEM to generate alerts and notify incident response personnel of unauthorized changes to configuration settings.
Employ a tool that conducts automated periodic compliance scans of Production system components against known configuration setting baselines (e.g., Tanium, Chef, AWS Config, Terraform, etc.). The tool should generate and forward an audit log to a centrally-managed SIEM, notify incident response personnel (via integration with email or messaging services like Slack or PagerDuty) of unauthorized changes, and attempt to revert said changes to those authorized in the baseline.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Integrity monitoring tool configurations and alerts
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse