Framework Category

Continuous Monitoring

Continuous Monitoring involves actively observing networks, systems, personnel activity, and physical environments to detect potentially adverse events.

It includes detecting malicious or unauthorized code, monitoring third-party services, scanning for vulnerabilities, and identifying unauthorized access or devices to enable timely response.

Implementation Questions

DE.CM-01

Networks and network services are monitored to find potentially adverse events

Does your organization have a system in place to monitor DNS, BGP, and other critical network services for suspicious or malicious activities?

Monitoring network services like DNS (Domain Name System) and BGP (Border Gateway Protocol) is crucial for detecting potential security threats such as DNS hijacking, BGP route hijacking, or other network-based attacks. These services are fundamental to internet connectivity and can be exploited to redirect traffic, perform man-in-the-middle attacks, or cause service disruptions if compromised.

Does your organization implement network monitoring controls to detect and alert on unauthorized endpoint connections to both wired and wireless networks?

Network monitoring for unauthorized endpoints is essential for detecting potential security breaches, rogue devices, and policy violations before they can cause harm. This includes monitoring both wired connections (like unauthorized computers or servers) and wireless connections (like unauthorized mobile devices or access points) that could be used to bypass security controls or exfiltrate data.

Does your organization have a process to regularly monitor facilities for unauthorized or rogue wireless networks?

Unauthorized wireless networks can create security vulnerabilities by providing attackers with potential entry points that bypass established network security controls. Regular monitoring helps detect rogue access points, unauthorized hotspots, or malicious wireless devices that may have been installed by external threat actors or non-compliant employees.

Does your organization regularly compare actual network traffic flows against established baselines to detect and investigate deviations?

Network traffic baseline comparison is a critical security practice that helps identify unusual patterns that may indicate compromise or misuse. By establishing normal traffic patterns (baselines) and continuously monitoring for deviations, organizations can detect potential security incidents such as data exfiltration, command and control traffic, or lateral movement by attackers.

Does your organization continuously monitor network communications to detect changes in security postures as part of a zero trust architecture?

This question assesses whether your organization has implemented real-time network monitoring capabilities that can identify when devices, users, or services deviate from expected security states. In a zero trust model, continuous verification is essential as security postures can change rapidly when devices become compromised, configurations drift, or unauthorized access attempts occur.An acceptable evidence deliverable would include documentation of your network monitoring solution configuration, screenshots of dashboards showing security posture monitoring, logs demonstrating detection of posture changes, and procedures for responding to identified security posture changes. This could also include reports from tools like Network Access Control (NAC) systems, Endpoint Detection and Response (EDR) solutions, or Security Information and Event Management (SIEM) platforms that specifically monitor for security posture changes.

DE.CM-02

The physical environment is monitored to find potentially adverse events

Does your organization monitor physical access control logs for unusual patterns and failed access attempts?

Monitoring physical access logs helps identify potential security breaches, such as unauthorized access attempts, access outside normal working hours, or suspicious patterns like multiple failed badge swipes. These logs can reveal when terminated employees attempt to use old credentials or when someone tries to access restricted areas without proper authorization.

Does your organization regularly review and monitor physical access records to track visitor and personnel entry to facilities?

Regular review of physical access records helps identify unauthorized access attempts, verify compliance with access policies, and maintain an audit trail of who entered facilities and when. This includes monitoring visitor logs, employee badge access data, and any other physical entry records to detect anomalies or security incidents.

Does your organization regularly inspect physical access controls for signs of tampering?

Regular inspection of physical access controls such as locks, latches, hinge pins, and alarm systems helps identify unauthorized access attempts or security breaches before they result in data or asset theft. These inspections should follow a documented schedule and include visual checks for scratches around keyholes, damaged hinges, disabled alarms, or other signs of manipulation.

Does your organization implement physical security monitoring systems such as alarm systems, surveillance cameras, and security personnel?

Physical security monitoring is essential to protect facilities, assets, and information from unauthorized access, theft, or damage. Effective monitoring typically includes a combination of alarm systems to detect intrusions, surveillance cameras to record activities, and security personnel to respond to incidents and maintain a visible security presence.

DE.CM-03

Personnel activity and technology usage are monitored to find potentially adverse events

Has your organization implemented behavior analytics software to detect anomalous user activity for insider threat detection?

Behavior analytics tools establish baseline patterns of normal user activity and can identify deviations that may indicate insider threats such as unauthorized access, data exfiltration, or account compromise. These solutions analyze various data points including login times, access patterns, file operations, and network activities to flag suspicious behaviors that warrant investigation. Effective implementation requires proper configuration, continuous tuning, and integration with your security operations workflow.

Does your organization actively monitor logs from logical access control systems to identify unusual access patterns and failed access attempts?

Monitoring access control logs helps detect potential security incidents such as unauthorized access attempts, credential theft, or insider threats. By analyzing patterns in authentication logs, organizations can identify suspicious activities like login attempts outside business hours, multiple failed logins, or access from unusual locations.

Does your organization actively monitor deception technology (e.g., honeypots, honeyfiles, decoy accounts) for any usage or interaction?

Deception technology creates fake assets that legitimate users should never interact with, making any activity on these decoys a strong indicator of malicious behavior. Monitoring these decoys provides early warning of potential intrusions, lateral movement attempts, or credential theft without generating false positives that plague traditional detection methods.

DE.CM-04

Malicious code is detected

Does your organization have systems in place to detect malicious code as part of your continuous monitoring program?

Malicious code detection is a critical component of cybersecurity defense that identifies potentially harmful software such as viruses, worms, trojans, ransomware, and other malware before they can compromise systems. Effective detection requires multiple layers including signature-based detection, behavioral analysis, and anomaly detection to identify both known and novel threats.

DE.CM-05

Unauthorized mobile code is detected

Does your organization have controls in place to detect unauthorized mobile code execution within your environment?

Mobile code (JavaScript, ActiveX, Flash, etc.) can introduce security risks when executed without proper validation or authorization. Detection mechanisms should identify when unauthorized mobile code attempts to run on endpoints, servers, or within applications. This could include web application firewalls, endpoint protection solutions, or application whitelisting tools that can identify and block unauthorized code execution.

DE.CM-06

External service provider activities and services are monitored to find potentially adverse events

Does your organization have procedures to monitor and log all maintenance and administrative activities performed by external providers on your systems, both remotely and onsite?

External providers often require privileged access to perform maintenance or administrative tasks on your systems, creating potential security risks if these activities are not properly monitored. Monitoring should include tracking when external providers connect to systems, what actions they perform, and ensuring these activities align with approved change requests or service agreements.

Does your organization have a system in place to monitor and detect unusual or suspicious activities from cloud services, ISPs, and other third-party service providers?

Monitoring third-party service provider activities is crucial for detecting potential security incidents, data breaches, or unauthorized access that might originate from these trusted connections. Unusual patterns in cloud service usage, unexpected traffic from ISPs, or abnormal behavior from other service providers could indicate compromise or misuse of credentials, services, or infrastructure.

DE.CM-07

Monitoring for unauthorized personnel, connections, devices, and software is performed

Does your organization implement continuous monitoring to detect unauthorized personnel, connections, devices, and software?

Continuous monitoring involves real-time or near real-time surveillance of your environment to identify security anomalies such as unauthorized access attempts, unknown devices connecting to your network, or unapproved software installations. This includes tools like intrusion detection systems (IDS), security information and event management (SIEM) solutions, network monitoring tools, and access control logs that alert security personnel to potential threats.

DE.CM-08

Vulnerability scans are performed

Does your organization perform regular vulnerability scanning across all systems and applications?

Regular vulnerability scanning helps identify security weaknesses in systems, applications, and network infrastructure before they can be exploited by attackers. These scans should be performed on a defined schedule (e.g., weekly, monthly) and after significant changes to the environment, with results documented and prioritized for remediation based on severity.

DE.CM-09

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Does your organization have monitoring systems in place to detect malicious activities across email, web, file sharing, and collaboration services?

Monitoring common attack vectors is essential for early detection of security threats like malware, phishing attempts, and data exfiltration. Without proper monitoring, malicious activities may go undetected until significant damage occurs, such as data breaches or system compromises. Effective monitoring should cover all primary communication channels including email systems, web traffic, file sharing platforms, and collaboration tools.

Does your organization monitor authentication attempts to detect credential-based attacks and unauthorized credential reuse?

Monitoring authentication attempts helps identify potential brute force attacks, credential stuffing, password spraying, or instances where stolen credentials are being used. This monitoring should include tracking failed login attempts, successful logins from unusual locations or devices, and patterns that might indicate automated attacks.

Does your organization have a process to monitor software configurations for deviations from established security baselines?

Security baselines define the approved, secure configuration settings for software systems. Monitoring for deviations helps identify unauthorized changes, misconfigurations, or security drift that could introduce vulnerabilities. This includes monitoring changes to operating systems, applications, databases, network devices, and cloud services against their documented secure configurations.

Does your organization have a process to monitor hardware and software for signs of tampering?

Hardware and software tampering can introduce unauthorized modifications, backdoors, or malicious code that compromise system integrity and security. Effective monitoring includes regular physical inspections of hardware seals/chassis, verification of firmware/software checksums, and automated tools that detect unexpected changes to system configurations or files.

Does your organization deploy endpoint security solutions that can detect security issues and enforce remediation before granting network access?

This question assesses whether your organization uses endpoint security technologies that can identify security problems like missing patches, malware infections, or unauthorized software before allowing devices to access your network. These solutions, often called Network Access Control (NAC) or endpoint compliance systems, can automatically quarantine or redirect non-compliant devices to a remediation environment where issues can be fixed before granting full network access.