CA-07 Continuous Monitoring
Security Assessment and Authorization
Low Moderate High Privacy
Description
The organization monitors the security controls in the information system on an ongoing basis.
Supplemental Guidance
Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting. The organization assesses all security controls in an information system during the initial security accreditation. Subsequent to the initial accreditation and in accordance with OMB policy, the organization assesses a subset of the controls annually during continuous monitoring. The selection of an appropriate subset of security controls is based on: (i) the FIPS 199 security categorization of the information system; (ii) the specific security controls selected and employed by the organization to protect the information system; and (iii) the level of assurance (or grounds for confidence) that the organization must have in determining the effectiveness of the security controls in the information system. The organization establishes the selection criteria and subsequently selects a subset of the security controls employed within the information system for assessment. The organization also establishes the schedule for control monitoring to ensure adequate coverage is achieved. Those security controls that are volatile or critical to protecting the information system are assessed at least annually. All other controls are assessed at least once during the information system’s three- year accreditation cycle. The organization can use the current year’s assessment results obtained during continuous monitoring to meet the annual FISMA assessment requirement (see CA-02). This control is closely related to and mutually supportive of the activities required in monitoring configuration changes to the information system. An effective continuous monitoring program results in ongoing updates to the information system security plan, the security assessment report, and the plan of action and milestones—the three principle documents in the security accreditation package. A rigorous and well executed continuous monitoring process significantly reduces the level of effort required for the reaccreditation of the information system. NIST Special Publication 800-37 provides guidance on the continuous monitoring process. NIST Special Publication 800-53A provides guidance on the assessment of security controls. Related security controls: CA-02, CA-04, CA-05, CA-06, CM-04.
Changes from Rev 4
Control text changes 'metrics' to 'system-level metrics' Parameter changes 'metrics' to 'system-level metrics' Discussion expanded
MITRE ATT&CK Techniques (210)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.
Reconnaissance 4 Initial Access 13 Execution 13 Persistence 33 Privilege Escalation 30 Defense Evasion 57 Credential Access 40 Discovery 3 Lateral Movement 8 Collection 17 Command & Control 34 Exfiltration 11 Impact 12
Show all 210 techniques grouped by tactic
Reconnaissance
Initial Access
T1078 Valid Accounts T1189 Drive-by Compromise T1190 Exploit Public-Facing Application T1195 Supply Chain Compromise T1566 Phishing T1078.001 Default Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1195.001 Compromise Software Dependencies and Development Tools T1195.002 Compromise Software Supply Chain T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link T1566.003 Spearphishing via Service
Execution
T1059 Command and Scripting Interpreter T1072 Software Deployment Tools T1203 Exploitation for Client Execution T1204 User Execution T1569 System Services T1053.006 Systemd Timers T1059.005 Visual Basic T1059.007 JavaScript T1059.010 AutoHotKey & AutoIT T1204.001 Malicious Link T1204.002 Malicious File T1204.003 Malicious Image T1569.002 Service Execution
Persistence
T1037 Boot or Logon Initialization Scripts T1078 Valid Accounts T1176 Browser Extensions T1197 BITS Jobs T1205 Traffic Signaling T1543 Create or Modify System Process T1556 Modify Authentication Process T1574 Hijack Execution Flow T1037.002 Login Hook T1037.003 Network Logon Script T1037.004 RC Scripts T1037.005 Startup Items T1053.006 Systemd Timers T1078.001 Default Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1205.001 Port Knocking T1542.004 ROMMONkit T1542.005 TFTP Boot T1543.002 Systemd Service T1546.003 Windows Management Instrumentation Event Subscription T1546.004 Unix Shell Configuration Modification T1546.013 PowerShell Profile T1546.016 Installer Packages T1547.003 Time Providers T1547.013 XDG Autostart Entries T1556.001 Domain Controller Authentication T1574.004 Dylib Hijacking T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.013 KernelCallbackTable T1574.014 AppDomainManager
Privilege Escalation
T1037 Boot or Logon Initialization Scripts T1068 Exploitation for Privilege Escalation T1078 Valid Accounts T1543 Create or Modify System Process T1548 Abuse Elevation Control Mechanism T1574 Hijack Execution Flow T1037.002 Login Hook T1037.003 Network Logon Script T1037.004 RC Scripts T1037.005 Startup Items T1053.006 Systemd Timers T1055.009 Proc Memory T1078.001 Default Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1543.002 Systemd Service T1546.003 Windows Management Instrumentation Event Subscription T1546.004 Unix Shell Configuration Modification T1546.013 PowerShell Profile T1546.016 Installer Packages T1547.003 Time Providers T1547.013 XDG Autostart Entries T1548.003 Sudo and Sudo Caching T1548.006 TCC Manipulation T1574.004 Dylib Hijacking T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.013 KernelCallbackTable T1574.014 AppDomainManager
Defense Evasion
T1036 Masquerading T1070 Indicator Removal T1078 Valid Accounts T1197 BITS Jobs T1205 Traffic Signaling T1211 Exploitation for Defense Evasion T1218 System Binary Proxy Execution T1221 Template Injection T1222 File and Directory Permissions Modification T1548 Abuse Elevation Control Mechanism T1556 Modify Authentication Process T1562 Impair Defenses T1574 Hijack Execution Flow T1599 Network Boundary Bridging T1622 Debugger Evasion T1647 Plist File Modification T1036.003 Rename System Utilities T1036.005 Match Legitimate Name or Location T1036.007 Double File Extension T1055.009 Proc Memory T1070.001 Clear Windows Event Logs T1070.002 Clear Linux or Mac System Logs T1070.003 Clear Command History T1070.007 Clear Network Connection History and Configurations T1070.008 Clear Mailbox Data T1070.009 Clear Persistence T1078.001 Default Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1205.001 Port Knocking T1218.002 Control Panel T1218.010 Regsvr32 T1218.011 Rundll32 T1218.012 Verclsid T1218.015 Electron Applications T1222.001 Windows File and Directory Permissions Modification T1222.002 Linux and Mac File and Directory Permissions Modification T1542.004 ROMMONkit T1542.005 TFTP Boot T1548.003 Sudo and Sudo Caching T1548.006 TCC Manipulation T1550.003 Pass the Ticket T1553.003 SIP and Trust Provider Hijacking T1556.001 Domain Controller Authentication T1562.001 Disable or Modify Tools T1562.002 Disable Windows Event Logging T1562.004 Disable or Modify System Firewall T1562.006 Indicator Blocking T1564.004 NTFS File Attributes T1564.010 Process Argument Spoofing T1574.004 Dylib Hijacking T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1574.013 KernelCallbackTable T1574.014 AppDomainManager T1599.001 Network Address Translation Traversal
Credential Access
T1003 OS Credential Dumping T1110 Brute Force T1111 Multi-Factor Authentication Interception T1187 Forced Authentication T1212 Exploitation for Credential Access T1528 Steal Application Access Token T1539 Steal Web Session Cookie T1552 Unsecured Credentials T1555 Credentials from Password Stores T1556 Modify Authentication Process T1557 Adversary-in-the-Middle T1558 Steal or Forge Kerberos Tickets T1003.001 LSASS Memory T1003.002 Security Account Manager T1003.003 NTDS T1003.004 LSA Secrets T1003.005 Cached Domain Credentials T1003.006 DCSync T1003.007 Proc Filesystem T1003.008 /etc/passwd and /etc/shadow T1056.002 GUI Input Capture T1110.001 Password Guessing T1110.002 Password Cracking T1110.003 Password Spraying T1110.004 Credential Stuffing T1552.001 Credentials In Files T1552.002 Credentials in Registry T1552.004 Private Keys T1552.005 Cloud Instance Metadata API T1555.001 Keychain T1555.002 Securityd Memory T1556.001 Domain Controller Authentication T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay T1557.002 ARP Cache Poisoning T1557.003 DHCP Spoofing T1557.004 Evil Twin T1558.002 Silver Ticket T1558.003 Kerberoasting T1558.004 AS-REP Roasting T1558.005 Ccache Files
Lateral Movement
Collection
T1185 Browser Session Hijacking T1213 Data from Information Repositories T1530 Data from Cloud Storage T1557 Adversary-in-the-Middle T1602 Data from Configuration Repository T1056.002 GUI Input Capture T1213.001 Confluence T1213.002 Sharepoint T1213.003 Code Repositories T1213.004 Customer Relationship Management Software T1213.005 Messaging Applications T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay T1557.002 ARP Cache Poisoning T1557.003 DHCP Spoofing T1557.004 Evil Twin T1602.001 SNMP (MIB Dump) T1602.002 Network Device Configuration Dump
Command & Control
T1001 Data Obfuscation T1008 Fallback Channels T1071 Application Layer Protocol T1090 Proxy T1095 Non-Application Layer Protocol T1102 Web Service T1104 Multi-Stage Channels T1105 Ingress Tool Transfer T1132 Data Encoding T1205 Traffic Signaling T1219 Remote Access Software T1568 Dynamic Resolution T1571 Non-Standard Port T1572 Protocol Tunneling T1573 Encrypted Channel T1001.001 Junk Data T1001.002 Steganography T1001.003 Protocol or Service Impersonation T1071.001 Web Protocols T1071.002 File Transfer Protocols T1071.003 Mail Protocols T1071.004 DNS T1090.001 Internal Proxy T1090.002 External Proxy T1090.003 Multi-hop Proxy T1102.001 Dead Drop Resolver T1102.002 Bidirectional Communication T1102.003 One-Way Communication T1132.001 Standard Encoding T1132.002 Non-Standard Encoding T1205.001 Port Knocking T1568.002 Domain Generation Algorithms T1573.001 Symmetric Cryptography T1573.002 Asymmetric Cryptography
Exfiltration
T1029 Scheduled Transfer T1030 Data Transfer Size Limits T1041 Exfiltration Over C2 Channel T1048 Exfiltration Over Alternative Protocol T1052 Exfiltration Over Physical Medium T1537 Transfer Data to Cloud Account T1567 Exfiltration Over Web Service T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol T1052.001 Exfiltration over USB
Impact
T1489 Service Stop T1498 Network Denial of Service T1499 Endpoint Denial of Service T1565 Data Manipulation T1498.001 Direct Network Flood T1498.002 Reflection Amplification T1499.001 OS Exhaustion Flood T1499.002 Service Exhaustion Flood T1499.003 Application Exhaustion Flood T1499.004 Application or System Exploitation T1565.001 Stored Data Manipulation T1565.003 Runtime Data Manipulation
Compliance Mappings
ISO 27001:2022
10.19.19.29.3A.5.22A.5.35A.8.16
ISO 27002:2022
5.225.355.368.16
COBIT 2019
APO13DSS01MEA01MEA02MEA04
CIS Controls v8
CIS 13CIS 15.6CIS 7
NIST CSF 2.0
DE.CM-01DE.CM-06GV.OV-01GV.OV-03GV.PO-02ID.IM-01ID.IM-03PR.PS-04RC.RP-05
SOC 2 TSC
CC1.1CC1.1-POF3CC2.2CC2.3CC4.2-POF1CC4.2-POF2
PCI DSS v4.0.1
12.4
CSA CCM v4
AA-02AIS-03LOG-03LOG-10SEF-05STA-11TVM-09TVM-10
CSA AICM v1
A&A-02AIS-03AIS-12GRC-12GRC-15LOG-03LOG-10LOG-15MDS-05SEF-05STA-11TVM-09TVM-10TVM-13
FINOS CCC
CCC-C08
ISO 42001:2023
A.2.4A.6.2.6
IEC 62443
3-3 SR 6.2
NIS2 Directive
Art. 21(2)(f)Art. 32
PRA Operational Resilience
SS1/21-7.1SS2/21-7.1
MAS TRM
127
BSI IT-Grundschutz
DER.1
ANSSI
Hygiene.29Hygiene.3Hygiene.31Hygiene.39SecNumCloud.13.7SecNumCloud.19.2
FINMA Circular 2023/1
IV.C(66)IV.C(67)IV.C(68)IV.D(75)IV.D(76)
OSFI B-13
B-13.1.3B-13.3.3B-13.4.2
EU GDPR
Art.32(1)(d)Art.35(11)
EU DORA
Art.10(1)Art.10(2)Art.24(1)Art.6(4)
BIO2
5.225.355.368.16
RBI CSF
Annex1.21ITGRCA.21ITGRCA.30
FISC Security Guidelines
FISC.O2FISC.O7
LGPD + BCB 4893
BCB.Art.10BCB.Art.19BCB.Art.6LGPD.Art.50
HKMA TM-E-1
TME1.12.3TME1.2.6TME1.5.2
MLPS 2.0
8.1.5.38.1.7.28.1.9.6
DNB Good Practice
DNB.14.1DNB.16.1DNB.16.2
SAMA CSF
1.31.92.2
NCA ECC
1-71-82-125-1
UAE IA
T7
CBB TM
TM-12TM-16TM-5
Qatar NIA
GVOSRM
CBUAE
CR-10CR-14CR-3
CBE CSF
CD-1GOV-3OVM-3
SA JS2
JS2-7.3JS2-7.6JS2-7.7JS2-9
CBN CSF
Part2.2Part2.3Part3.5Part6.1Part6.2Part7.2
BoG CISD
CISD-COMPCISD-IICISD-IIICISD-ISMSCISD-IVCISD-VII
POPIA
s19
BoM CTRM
1.53.14.25.35.4
IOSCO Cyber Resilience
DET-1DET-2LE-1LE-2SA-3TEST-1
BCBS 239
Principle 10Principle 12Principle 7Principle 8
CPMI-IOSCO PFMI
CG.DECG.LEPFMI.P17PFMI.P3
FFIEC IS
II.AII.A.2II.C.4II.DIII.AIII.BIV.AIV.A.3
NYDFS 500
500.2
HIPAA Security Rule
§164.308(a)(1)(i)§164.308(a)(1)(ii)(A)§164.308(a)(1)(ii)(B)§164.308(a)(1)(ii)(D)§164.308(a)(7)(ii)(D)§164.308(a)(8)§164.316(b)(2)(iii)
ECB CROE
CROE.2.2.1CROE.2.4CROE.2.8.1
EBA ICT Guidelines
3.3.53.3.63.4.53.4.6
SEBI CSCRF
AUDITCCIDE.CMGV.OVRS.IMSOC
BOT Cyber Resilience
Ch1.3Ch10.1Ch3.1Ch6.1
CMMC 2.0
CA
NERC CIP
CIP-015-1
10 CFR 73.54
RG5.71-C-CA73.54(d)
TSA Pipeline SD
SD-2 Sec C
FERC CIP Orders
Order 881Order 893
DOE C2M2 v2.1
SITUATION
API 1164
Sec 9Sec 15
AWIA
AWWA Sec 4AWWA Sec 5
IAEA NSS 17-T
Sec 5.5Sec 11
CBEST
CBEST.10CBEST.5CBEST.7
TIBER-EU
TIBER.BTTIBER.REM
PCI HSM
10
Common Criteria
CEM
ISAE 3402
Clause 10Clause 2Clause 5Clause 6
Solvency II
Art.45Art.46Art.47EIOPA-ICT-4.2
Lloyd's Minimum Standards
MS10.2MS8.12
NAIC Insurance Data Security
44-monitoring4A4E57
PRA SS1/23
P4.1P5.2
FCA SYSC 13
SYSC 13.5.3SYSC 13.7.5SYSC 13.9.3SYSC 13.G.3
HITRUST CSF v11
00.b00.c03.b04.b06.c11.b12.c
FDA 21 CFR Part 11
§11.10(a)
FDA Cybersecurity Guidance
524B-2524B-4
ISO 27799
18.35.2
NHS DSPT
NDG-5.1NDG-7.3NDG-9.9
CCSS v9.0
2.01.12.01.3
MiCA
Art.34(5)Art.43(1)Art.62(1)Art.94(1)
Basel SCO60
SCO60.5SCO60.13SCO60.23SCO60.50SCO60.51SCO60.65SCO60.71SCO60.72SCO60.73SCO60.74
BSSC Standards
NOS-10GSP-15
SEC Custody (Digital Assets)
SEC-CD-10SEC-CD-13SEC-CD-14
ISO 17799 (legacy)
15.2.115.2.2
COBIT 4.1 (legacy)
PO1.3DS5.5