MON-07: Time Stamps

MON 10 — Critical Detect

Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to use an authoritative time source to generate time stamps for event logs.

Control Question: Does the organization configure Technology Assets, Applications and/or Services (TAAS) to use an authoritative time source to generate time stamps for event logs?

General (30)

Framework	Mapping Values
CSA CCM 4	LOG-06
GovRAMP Low	AU-08
GovRAMP Low+	AU-08
GovRAMP Moderate	AU-08
GovRAMP High	AU-08
IEC 62443-4-2 2019	CR 2.11 (6.13.1)
MPA Content Security Program 5.1	TS-1.5
NIST 800-53 R4	AU-8
NIST 800-53 R4 (low)	AU-8
NIST 800-53 R4 (moderate)	AU-8
NIST 800-53 R4 (high)	AU-8
NIST 800-53 R5 (source)	AU-8
NIST 800-53B R5 (low) (source)	AU-8
NIST 800-53B R5 (moderate) (source)	AU-8
NIST 800-53B R5 (high) (source)	AU-8
NIST 800-82 R3 LOW OT Overlay	AU-8
NIST 800-82 R3 MODERATE OT Overlay	AU-8
NIST 800-82 R3 HIGH OT Overlay	AU-8
NIST 800-171A (source)	3.3.7[a] 3.3.7[b]
NIST 800-171 R3 (source)	03.03.02.a.02 03.03.07.a
NIST 800-171A R3 (source)	A.03.03.07.ODP[01] A.03.03.07.a A.03.03.07.b[01]
OWASP Top 10 2021	A09:2021
PCI DSS 4.0.1 (source)	10.2 10.6 10.6.1 10.6.2 10.6.3
PCI DSS 4.0.1 SAQ A-EP (source)	10.6.1 10.6.2 10.6.3
PCI DSS 4.0.1 SAQ C (source)	10.6.1 10.6.2 10.6.3
PCI DSS 4.0.1 SAQ D Merchant (source)	10.6.1 10.6.2 10.6.3
PCI DSS 4.0.1 SAQ D Service Provider (source)	10.6.1 10.6.2 10.6.3
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	MON-07
SCF CORE ESP Level 2 Critical Infrastructure	MON-07
SCF CORE ESP Level 3 Advanced Threats	MON-07

US (19)

Framework	Mapping Values
US CERT RMM 1.2	TM:SG2.SP2
US CJIS Security Policy 5.9.3 (source)	5.4.4
US CMS MARS-E 2.0	AU-8
US FDA 21 CFR Part 11	11.10 11.10(b) 11.10(c) 11.10(e)
US FedRAMP R4	AU-8
US FedRAMP R4 (low)	AU-8
US FedRAMP R4 (moderate)	AU-8
US FedRAMP R4 (high)	AU-8
US FedRAMP R4 (LI-SaaS)	AU-8
US FedRAMP R5 (source)	AU-8
US FedRAMP R5 (low) (source)	AU-8
US FedRAMP R5 (moderate) (source)	AU-8
US FedRAMP R5 (high) (source)	AU-8
US FedRAMP R5 (LI-SaaS) (source)	AU-8
US IRS 1075	AU-8
US NISPOM 2020	8-602
US - TX DIR Control Standards 2.0	AU-8
US - TX TX-RAMP Level 1	AU-8
US - TX TX-RAMP Level 2	AU-8

EMEA (2)

Framework	Mapping Values
EMEA Saudi Arabia ECC-1 2018	2-3-3-4
EMEA Spain CCN-STIC 825	8.7.5 [MP.INFO.5]

Americas (1)

Framework	Mapping Values
Americas Canada ITSP-10-171	03.03.02.A.02 03.03.07.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to configure Technology Assets, Applications and/or Services (TAAS) to use an authoritative time source to generate time stamps for event logs.

Level 1 — Performed Informally

Continuous Monitoring (MON) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Generating event logs and the review of event logs is narrowly-focused to business-critical Technology Assets, Applications and/or Services (TAAS) and/ or Technology Assets, Applications and/or Services (TAAS) that store, processes and/ or transmit sensitive/regulated data.
Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.

Level 2 — Planned & Tracked

Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.

Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
IT/cybersecurity personnel:
A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical Technology Assets, Applications and/or Services (TAAS).
Secure baseline configurations use internal system clocks to generate time stamps for security event logs that are synchronized with an authoritative time source.

Level 3 — Well Defined

Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.

An IT Asset Management (ITAM) function, or similar function:
A Security Incident Event Manager (SIEM), or similar automated tool:
Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised Technology Assets, Applications and/or Services (TAAS).
Secure baseline configurations use internal system clocks to generate time stamps for security event logs that are synchronized with an authoritative time source.

Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to configure Technology Assets, Applications and/or Services (TAAS) to use an authoritative time source to generate time stamps for event logs.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to configure Technology Assets, Applications and/or Services (TAAS) to use an authoritative time source to generate time stamps for event logs.

Assessment Objectives

MON-07_A01 timestamps are recorded for audit records that meet organization-defined granularity of time measurement and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time or include the local time offset as part of the timestamp.
MON-07_A02 internal system clocks are used to generate time stamps for audit records.
MON-07_A03 granularity of time measurement for audit record time stamps is defined.
MON-07_A04 time stamps are recorded for audit records that meet organization-defined granularity of time measurement.
MON-07_A05 time stamps are recorded for audit records that meet <A.03.03.07.ODP[01]: granularity of time measurement>.

Technology Recommendations

Micro/Small

Secure Baseline Configurations (SBC)

Small

Secure Baseline Configurations (SBC)

Medium

Secure Baseline Configurations (SBC)

Large

Secure Baseline Configurations (SBC)

Enterprise

Secure Baseline Configurations (SBC)