Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system monitors inbound and outbound communications traffic [FedRAMP Assignment: (M)(H) continuously] for unusual or unauthorized activities or conditions.
NIST 800-53 (r4) Supplemental Guidance:
Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.
NIST 800-53 (r5) Discussion:
Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components.
38North Guidance:
Meets Minimum Requirement:
Use an appropriate solution(s) at each ingress/egress point to monitor inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions. Boundary protection devices (e.g., IDS, IPS) must be deployed (Next Generation firewalls may have this capability built-in) and traffic must be sent to the SIEM for monitoring for unusual and suspicious activity.
Mostly implemented by system boundary devices although host-based solutions such as Endpoint Detection and Response (EDR) may supplement. Many of our customers will claim monitoring mechanisms that are host-based and that's acceptable, as long as, the usual suspects are also deployed at the perimeter (e.g. firewalls, proxies, etc.) and the logs of said devices are sent to the SIEM. The control implementation statement should describe how all inbound and outbound traffic is monitored. In addition, the perimeter firewall monitoring capabilities should be leveraged from the IaaS information system. If the SIEM is ingesting logs from the IaaS firewalls, this should be described as well to ensure it is clear that the CSP can aggregate inbound/outbound traffic events and information from a centralized tool.
Best Practice: None
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Configurations of solution(s) supporting and/or implementing monitoring of inbound/outbound communications traffic.
CSP Implementation Tips: None
Page updated
Report abuse