This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization implements [Assignment: (M) organization-defined host-based boundary protection mechanisms; FedRAMP Assignment: (H) Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall] at [Assignment: (M) (H) organization-defined information system components].
NIST 800-53 (r4) Supplemental Guidance:
Host-based boundary protection mechanisms include, for example, host-based firewalls. Information system components employing host-based boundary protection mechanisms include, for example, servers, workstations, and mobile devices.
NIST 800-53 (r5) Discussion:
Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices.
38North Guidance:
Meets Minimum Requirement:
Deploy/enable a host-based firewall on all system components.
Deploy HIDS software on all system components.
Commonly used HIDS tools include OSSEC, Wazuh, Security Onion, Logz.io, and Splunk. Several Endpoint Detection and Response (EDR) products (e.g., McAfee/Symantec Endpoint Security, etc.) also perform HIDS functionality.
Best Practice:
Deploy/enable a host-based firewall on all system components.
Deploy HIDS software on all system components.
Integrate firewalls and HIDS solutions with an incident management platform (e.g., SIEM, automated notification system, etc.) for real-time alerting of unauthorized activity.
Unofficial FedRAMP Guidance:
Commonly used HIDS tools include OSSEC, Wazuh, Security Onion, Logz.io, and Splunk. Several Endpoint Detection and Response (EDR) products (e.g., McAfee/Symantec Endpoint Security, etc.) also perform HIDS functionality.
Assessment Evidence:
Configuration settings of the measures in place to implement host-based boundary protection mechanisms at specified information system components (e.g., proof of installation on a subset of system components, the centralize management of HIDS solutions, etc.).
Evidence of firewall and HIDS logging integration with an incident management platform.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD