Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization- defined compromise indicators].
Additional FedRAMP Requirements and Guidance: In accordance with the incident response plan.
NIST 800-53 (r4) Supplemental Guidance:
Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers. Related controls: AU-5, PE-6.
NIST 800-53 (r5) Discussion:
Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in SI-4(12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats.
38North Guidance:
Meets Minimum Requirement:
In accordance with the incident response plan, alert defined personnel or roles when defined indications of compromise or potential compromise occur (e.g., when the system begins to function in a non-secure, non-optimal, or non-resilient manner).
Best Practice: Regardless of the alerting mechanism used, alerts should be sanitized if being sent outside of the authorization boundary. IP addresses, hostnames, and other specific information that may draw attention and provide a bad actor with specifics to enhance an attack on the system, should be avoided in alerting messages, if being sent through email, SMS messages, or other forms of communications outside of the authorization boundary.
Unofficial FedRAMP Guidance: IP addresses and hostnames can be considered metadata and alerts with this specific information should remain within the authorization boundary.
Assessment Evidence:
Alerts/notifications generated based on compromise indicators.
CSP Implementation Tips: None
Page updated
Report abuse