MON-01: Continuous Monitoring

MON 10 — Critical Govern

Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls.

Control Question: Does the organization facilitate the implementation of enterprise-wide monitoring controls?

General (60)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	CC7.2 CC7.2-POF1
CIS CSC 8.1	8 8.2 13 13.6
CIS CSC 8.1 IG1	8.2
CIS CSC 8.1 IG2	8.2 8.4 13.6
CIS CSC 8.1 IG3	8.2 8.4 13.6
COBIT 2019	DSS01.03 DSS05.07 DSS06.05 MEA01.01
CSA CCM 4	LOG-01 LOG-07
CSA IoT SCF 2	CLS-08 MON-01 MON-03 MON-05 MON-07 SNT-03
ENISA 2.0	SO21
GovRAMP Core	SI-04
GovRAMP Low	AU-01 SI-04
GovRAMP Low+	AU-01 SI-04
GovRAMP Moderate	AU-01 SI-04
GovRAMP High	AU-01 SI-04
IEC 62443-4-2 2019	CR 2.8 (6.10.1) CR 6.2 (10.4.1)
ISO/SAE 21434 2021	RQ-08-03 RQ-08-04
ISO 27002 2022	8.15 8.16
ISO 27017 2015	12.4.1 CLD.12.4.5
MITRE ATT&CK 10	T1001, T1001.001, T1001.002, T1001.003, T1003, T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008, T1005, T1008, T1011, T1011.001, T1020.001, T1021, T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1025, T1027, T1027.002, T1029, T1030, T1036, T1036.001, T1036.003, T1036.005, T1036.007, T1037, T1037.002, T1037.003, T1037.004, T1037.005, T1040, T1041, T1046, T1047, T1048, T1048.001, T1048.002, T1048.003, T1052, T1052.001, T1053, T1053.001, T1053.002, T1053.003, T1053.005, T1053.006, T1055, T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014, T1056.002, T1059, T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1068, T1070, T1070.001, T1070.002, T1070.003, T1071, T1071.001, T1071.002, T1071.003, T1071.004, T1072, T1078, T1078.001, T1078.002, T1078.003, T1078.004, T1080, T1087, T1087.001, T1087.002, T1090, T1090.001, T1090.002, T1091, T1092, T1095, T1098, T1098.001, T1098.002, T1098.003, T1098.004, T1102, T1102.001, T1102.002, T1102.003, T1104, T1105, T1106, T1110, T1110.001, T1110.002, T1110.003, T1110.004, T1111, T1114, T1114.001, T1114.002, T1114.003, T1119, T1127, T1127.001, T1129, T1132, T1132.001, T1132.002, T1133, T1135, T1136, T1136.001, T1136.002, T1136.003, T1137, T1137.001, T1176, T1185, T1187, T1189, T1190, T1197, T1201, T1203, T1204, T1204.001, T1204.002, T1204.003, T1205, T1205.001, T1210, T1211, T1212, T1213, T1213.001, T1213.002, T1216, T1216.001, T1218, T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014, T1219, T1220, T1221, T1222, T1222.001, T1222.002, T1484, T1485, T1486, T1489, T1490, T1491, T1491.001, T1491.002, T1499, T1499.001, T1499.002, T1499.003, T1499.004, T1505, T1505.002, T1505.003, T1505.004, T1525, T1528, T1530, T1537, T1539, T1542.004, T1542.005, T1543, T1543.002, T1546.002, T1546.003, T1546.004, T1546.006, T1546.008, T1546.013, T1546.014, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.007, T1547.008, T1547.009, T1547.011, T1547.012, T1547.013, T1548, T1548.001, T1548.002, T1548.003, T1548.004, T1550.001, T1550.003, T1552, T1552.001, T1552.002, T1552.003, T1552.004, T1552.005, T1552.006, T1553, T1553.001, T1553.003, T1553.004, T1553.005, T1555, T1555.001, T1555.002, T1555.004, T1555.005, T1556, T1556.001, T1556.002, T1556.003, T1556.004, T1557, T1557.001, T1557.002, T1558, T1558.002, T1558.003, T1558.004, T1559, T1559.002, T1560, T1560.001, T1561, T1561.001, T1561.002, T1562, T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.010, T1563, T1563.001, T1563.002, T1564.002, T1564.004, T1564.006, T1564.007, T1564.008, T1564.009, T1565, T1565.001, T1565.002, T1565.003, T1566, T1566.001, T1566.002, T1566.003, T1567, T1568, T1568.002, T1569, T1569.002, T1570, T1571, T1572, T1573, T1573.001, T1573.002, T1574, T1574.001, T1574.004, T1574.005, T1574.007, T1574.008, T1574.009, T1574.010, T1578, T1578.001, T1578.002, T1578.003, T1598, T1598.001, T1598.002, T1598.003, T1599, T1599.001, T1601, T1601.001, T1601.002, T1602, T1602.001, T1602.002, T1610, T1611, T1612, T1613
NAIC Insurance Data Security Model Law (MDL-668)	4.D(2)(h)
NIST AI 600-1	GV-4.3-002 GV-6.2-004
NIST Privacy Framework 1.0	CT.DM-P8
NIST 800-37 R2	P-7 S-5
NIST 800-53 R4	AU-1 SI-4
NIST 800-53 R4 (low)	AU-1 SI-4
NIST 800-53 R4 (moderate)	AU-1 SI-4
NIST 800-53 R4 (high)	AU-1 SI-4
NIST 800-53 R5 (source)	AU-1 PM-31 SI-4
NIST 800-53B R5 (privacy) (source)	AU-1 PM-31
NIST 800-53B R5 (low) (source)	AU-1 SI-4
NIST 800-53B R5 (moderate) (source)	AU-1 SI-4
NIST 800-53B R5 (high) (source)	AU-1 SI-4
NIST 800-82 R3 LOW OT Overlay	AU-1 SI-4
NIST 800-82 R3 MODERATE OT Overlay	AU-1 SI-4
NIST 800-82 R3 HIGH OT Overlay	AU-1 SI-4
NIST 800-161 R1	AU-1 PM-31 SI-4
NIST 800-161 R1 C-SCRM Baseline	AU-1 SI-4
NIST 800-161 R1 Flow Down	SI-4
NIST 800-161 R1 Level 1	AU-1 PM-31 SI-4
NIST 800-161 R1 Level 2	AU-1 PM-31 SI-4
NIST 800-161 R1 Level 3	AU-1 PM-31 SI-4
NIST 800-171 R2 (source)	3.3.3 3.14.6 NFO-AU-1
NIST 800-171 R3 (source)	03.03.01.a 03.12.03 03.14.06.a
NIST 800-171A R3 (source)	A.03.14.06.a.01[01] A.03.14.06.a.01[02] A.03.14.06.a.02
NIST 800-172	3.14.2e
NIST 800-207	NIST Tenet 5 NIST Tenet 6 NIST Tenet 7
NIST CSF 2.0 (source)	DE.AE DE.CM-01 DE.CM-03 DE.CM-06 DE.CM-09 PR.PS-04
OWASP Top 10 2021	A01:2021 A07:2021 A09:2021
PCI DSS 4.0.1 (source)	10.1 10.4.3 10.7 10.7.1 10.7.2 10.7.3
PCI DSS 4.0.1 SAQ A-EP (source)	10.4.3
PCI DSS 4.0.1 SAQ C (source)	10.4.3
PCI DSS 4.0.1 SAQ D Merchant (source)	10.4.3 10.7.2 10.7.3
PCI DSS 4.0.1 SAQ D Service Provider (source)	10.4.3 10.7.1 10.7.2 10.7.3
SPARTA	CM0090
SWIFT CSF 2023	6.4
TISAX ISA 6	5.2.4
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	MON-01
SCF CORE ESP Level 1 Foundational	MON-01
SCF CORE ESP Level 2 Critical Infrastructure	MON-01
SCF CORE ESP Level 3 Advanced Threats	MON-01

US (41)

Framework	Mapping Values
US C2M2 2.1	SITUATION-1.A.MIL1 SITUATION-3.G.MIL3
US CERT RMM 1.2	COMP:SG1.SP2 MON:SG1.SP3 COMP:SG2.SP1 MON:SG2.SP3 MON:SG2.SP4
US CISA CPG 2022	1.D 2.T
US CJIS Security Policy 5.9.3 (source)	5.4 5.4.3 SI-4
US CMMC 2.0 Level 2 (source)	AU.L2-3.3.3 SI.L2-3.14.6
US CMS MARS-E 2.0	AU-1 SI-4
US DoD Zero Trust Execution Roadmap	3.5 7.3.1
US DoD Zero Trust Reference Architecture 2.0	6.5
US DHS CISA SSDAF	1.b 1.f
US DHS CISA TIC 3.0	3.UNI.CLMAN 3.UNI.AACCO 3.UNI.SAWAR 3.UNL.CMREP
US DHS ZTCF	APP-02 NTW-02 SEC-01
US EO 14028	4e(i)(B) 4e(i)(F)
US FDA 21 CFR Part 11	11.10 11.10(e)
US FedRAMP R4	AU-1 SI-4
US FedRAMP R4 (low)	AU-1 SI-4
US FedRAMP R4 (moderate)	AU-1 SI-4
US FedRAMP R4 (high)	AU-1 SI-4
US FedRAMP R4 (LI-SaaS)	AU-1 SI-4
US FedRAMP R5 (source)	AU-1 SI-4
US FedRAMP R5 (low) (source)	AU-1 SI-4
US FedRAMP R5 (moderate) (source)	AU-1 SI-4
US FedRAMP R5 (high) (source)	AU-1 SI-4
US FedRAMP R5 (LI-SaaS) (source)	AU-1 SI-4
US FFIEC	D3.DC.An.B.2 D3.DC.An.B.3 D1.G.SP.B.3 D2.MA.Ma.B.1 D2.MA.Ma.B.2 D3.DC.Ev.B.4 D1.G.Ov.E.2
US HHS 45 CFR 155.260	155.260(a)(3)(viii)
US HIPAA Administrative Simplification 2013 (source)	164.308(a)(1)(i) 164.308(a)(1)(ii)(D) 164.312(b)
US HIPAA Security Rule / NIST SP 800-66 R2 (source)	164.308(a)(1)(i) 164.308(a)(1)(ii)(D) 164.312(b)
US HIPAA HICP Medium Practice	6.M.C
US HIPAA HICP Large Practice	6.M.C 6.L.B 8.L.E 9.L.B
US IRS 1075	AU-1 SI-4
US NISPOM 2020	8-602
US NNPI (unclass)	3.1
US SSA EIESR 8.0	5.4 5.6
US TSA / DHS 1580/82-2022-01	III.D III.D.3.a III.D.3.b
US - CA CCPA 2025	7123(c)(7)
US - NY DFS 23 NYCRR500 2023 Amd 2	500.2(b)(3) 500.6(a)(1) 500.6(a)(2)
US - NY SHIELD Act S5575B	4(2)(b)(ii)(C)(2)
US - TX DIR Control Standards 2.0	AU-1 SI-4
US - TX TX-RAMP Level 1	AU-1 SI-4
US - TX TX-RAMP Level 2	AU-1 SI-4
US - VT Act 171 of 2018	2447(b)(2)(C) 2447(b)(8) 2447(b)(8)(A)

EMEA (21)

Framework	Mapping Values
EMEA EU EBA GL/2019/04	3.4.5(39) 3.4.5(40) 3.5(52)
EMEA EU DORA	10.3
EMEA EU NIS2 Annex	13.1.2(f) 2.2.3 3.2.1 3.2.2 3.2.6
EMEA Austria	Sec 14 Sec 15
EMEA Belgium	16
EMEA Germany Banking Supervisory Requirements for IT (BAIT)	5.5 6.3 6.7
EMEA Germany C5 2020	OPS-10
EMEA Israel CDMO 1.0	4.6 6.8 9.10 11.11 12.31 13.9 21.1
EMEA Saudi Arabia CSCC-1 2019	2-11
EMEA Saudi Arabia IoT CGIoT-1 2024	2-11-1
EMEA Saudi Arabia ECC-1 2018	2-3-4 2-12-1 2-12-2 2-12-3 2-12-4 5-1-3-3
EMEA Saudi Arabia OTCC-1 2022	2-11 2-11-1 2-11-2
EMEA Saudi Arabia SACS-002	TPC-40 TPC-80
EMEA Saudi Arabia SAMA CSF 1.0	3.3.14
EMEA South Africa	19.1 19.2
EMEA Spain BOE-A-2022-7191	10.1 21.2 24.1
EMEA Spain 311/2022	10.1 21.2 24.1
EMEA Spain CCN-STIC 825	7.3.8 [OP.EXP.8]
EMEA UK CAF 4.0	C1
EMEA UK CAP 1850	C1
EMEA UK DEFSTAN 05-138	2203 2427 3100 3101 3102 3106

APAC (7)

Framework	Mapping Values
APAC Australia ISM June 2024	ISM-0109 ISM-0120 ISM-0580 ISM-0660 ISM-1163 ISM-1294 ISM-1294 ISM-1586
APAC India SEBI CSCRF	DE.CM.S2 PR.AA.S8
APAC Japan ISMAP	12.4.1 12.4.1.15.PB 12.4.5.P
APAC New Zealand HISF 2022	HHSP70 HML70 HMS18 HSUP61
APAC New Zealand HISF Suppliers 2023	HSUP61
APAC New Zealand NZISM 3.6	16.6.6.C.01 16.6.6.C.02 16.6.8.C.01 16.6.10.C.01 16.6.10.C.02
APAC Singapore MAS TRM 2021	12.2.1 12.2.2 12.2.3

Americas (4)

Framework	Mapping Values
Americas Bermuda BMACCC	6.21
Americas Canada CSAG	3.5
Americas Canada OSFI B-13	3.3 3.3.1 3.3.2
Americas Canada ITSP-10-171	03.03.01.A 03.12.03 03.14.06.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to facilitate the implementation of enterprise-wide monitoring controls.

Level 1 — Performed Informally

Continuous Monitoring (MON) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Generating event logs and the review of event logs is narrowly-focused to business-critical systems and/ or systems that store, processes and/ or transmit sensitive/regulated data.
Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.

Level 2 — Planned & Tracked

Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.

Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
IT/cybersecurity personnel:
A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.

Level 3 — Well Defined

Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.

The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for continuous monitoring (e.g., event log collection and analysis) practices, within the broader scope of cybersecurity and data protection operations.
The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization for security monitoring.
A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls for continuous security monitoring.
A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including continuous monitoring.
An IT Asset Management (ITAM) function, or similar function:
A Security Incident Event Manager (SIEM), or similar automated tool:
A Security Operations Center (SOC), or similar function, enables incident management operations covering preparation, detection and analysis, containment, eradication and recovery.
Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.

Level 4 — Quantitatively Controlled

Continuous Monitoring (MON) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to facilitate the implementation of enterprise-wide monitoring controls.

Assessment Objectives

MON-01_A01 the continuous monitoring program is organization-wide.
MON-01_A02 monitoring objectives to detect attacks and indicators of potential attacks on the system are defined.
MON-01_A03 techniques and methods used to identify unauthorized use of the system are defined.
MON-01_A04 system monitoring information to be provided to personnel or roles is defined.
MON-01_A05 personnel or roles to whom system monitoring information is to be provided is/are defined.
MON-01_A06 a frequency for providing system monitoring to personnel or roles is defined.
MON-01_A07 the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations or the Nation.
MON-01_A08 a legal opinion regarding system monitoring activities is obtained.
MON-01_A09 the system is monitored to detect attacks.
MON-01_A10 the system is monitored to detect indicators of potential attacks.
MON-01_A11 the system is monitored to detect unauthorized connections.
MON-01_A12 event monitoring operations are conducted according to documented policies, standards, procedures and/or other organizational directives.
MON-01_A13 adequate resources (e.g., people, processes, technologies, data and/or facilities) are provided to support event monitoring operations.
MON-01_A14 responsibility and authority for the performance of event monitoring-related activities are assigned to designated personnel.
MON-01_A15 personnel performing event monitoring-related activities have the skills and knowledge needed to perform their assigned duties.

Evidence Requirements

E-MON-01 Event Log Review & Analysis: Documented evidence of security event log review and analysis (e.g., system monitoring records).
Event Log Monitoring
E-MON-06 Automated Event Escalation & Reporting: Documented evidence of a capability for selected events to alert applicable personnel, or roles, based on the type of event. This can be demonstrated by the configuration of a Security Incident Event Manager (SIEM), or similar technology, that helps automate event log analysis and reporting.
Event Log Monitoring
E-MON-07 Situational Awareness: Documented evidence of the organization leveraging knowledge of event log generation to gain situational awareness of cross-domain activities (e.g., technology issues, security events, policy violations, service provider activities, remote workforce activities, physical security events, etc.).
Event Log Monitoring

Technology Recommendations

Micro/Small

Centralized event logging
Managed Security Services Provider (MSSP)

Small

Centralized event logging
Security Incident Event Manager (SIEM)
Managed Security Services Provider (MSSP)

Medium

Centralized event logging
Security Incident Event Management (SIEM)
Managed Security Services Provider (MSSP)
Security Orchestration, Automation & Response (SOAR)
Extended Detection and Response (XDR)

Large

Centralized event logging
Security Incident Event Management (SIEM)
Managed Security Services Provider (MSSP)
Security Orchestration, Automation & Response (SOAR)
Extended Detection and Response (XDR)

Enterprise

Centralized event logging
Security Incident Event Management (SIEM)
Managed Security Services Provider (MSSP)
Security Orchestration, Automation & Response (SOAR)
Extended Detection and Response (XDR)