MON-07.1: Synchronization With Authoritative Time Source
Mechanisms exist to synchronize internal system clocks with an authoritative time source.
Control Question: Does the organization synchronize internal system clocks with an authoritative time source?
General (27)
| Framework | Mapping Values |
|---|---|
| CIS CSC 8.1 | 8.4 |
| CIS CSC 8.1 IG2 | 8.4 |
| CIS CSC 8.1 IG3 | 8.4 |
| CSA CCM 4 | LOG-06 |
| IEC 62443-4-2 2019 | CR 2.11 (6.13.3(1)) CR 2.11 (6.13.3(2)) |
| MPA Content Security Program 5.1 | TS-1.5 |
| NIST 800-53 R4 | AU-8(1) |
| NIST 800-53 R4 (moderate) | AU-8(1) |
| NIST 800-53 R4 (high) | AU-8(1) |
| NIST 800-53 R5 (source) | SC-45 SC-45(1) |
| NIST 800-53 R5 (NOC) (source) | SC-45 SC-45(1) |
| NIST 800-82 R3 LOW OT Overlay | SC-45 |
| NIST 800-82 R3 MODERATE OT Overlay | SC-45 |
| NIST 800-82 R3 HIGH OT Overlay | SC-45 |
| NIST 800-171 R2 (source) | 3.3.7 |
| NIST 800-171A (source) | 3.3.7[b] 3.3.7[c] |
| NIST 800-171 R3 (source) | 03.03.07.b |
| NIST 800-171A R3 (source) | A.03.03.07.b[02] |
| OWASP Top 10 2021 | A09:2021 |
| PCI DSS 4.0.1 (source) | 10.6 10.6.1 10.6.2 10.6.3 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 10.6.1 10.6.2 10.6.3 |
| PCI DSS 4.0.1 SAQ C (source) | 10.6.1 10.6.2 10.6.3 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 10.6.1 10.6.2 10.6.3 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 10.6.1 10.6.2 10.6.3 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MON-07.1 |
| SCF CORE ESP Level 2 Critical Infrastructure | MON-07.1 |
| SCF CORE ESP Level 3 Advanced Threats | MON-07.1 |
US (13)
| Framework | Mapping Values |
|---|---|
| US CMMC 2.0 Level 2 (source) | AU.L2-3.3.7 |
| US CMMC 2.0 Level 3 (source) | AU.L2-3.3.7 |
| US CMS MARS-E 2.0 | AU-8(1) |
| US DHS CISA TIC 3.0 | 3.UNI.TSYNC |
| US FDA 21 CFR Part 11 | 11.10 11.10(b) 11.10(c) 11.10(e) |
| US FedRAMP R4 | AU-8(1) |
| US FedRAMP R4 (moderate) | AU-8(1) |
| US FedRAMP R4 (high) | AU-8(1) |
| US FedRAMP R5 (source) | SC-45 SC-45(1) |
| US FedRAMP R5 (moderate) (source) | SC-45 SC-45(1) |
| US FedRAMP R5 (high) (source) | SC-45 SC-45(1) |
| US IRS 1075 | SC-45 SC-45(1) |
| US - TX TX-RAMP Level 2 | AU-8(1) |
EMEA (3)
| Framework | Mapping Values |
|---|---|
| EMEA EU NIS2 Annex | 3.2.6 |
| EMEA Saudi Arabia ECC-1 2018 | 2-3-3-4 |
| EMEA UK DEFSTAN 05-138 | 2421 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC New Zealand HISF 2022 | HHSP71 HML71 HSUP62 |
| APAC New Zealand HISF Suppliers 2023 | HSUP62 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.03.07.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to synchronize internal system clocks with an authoritative time source.
Level 1 — Performed Informally
Continuous Monitoring (MON) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Generating event logs and the review of event logs is narrowly-focused to business-critical systems and/ or systems that store, processes and/ or transmit sensitive/regulated data.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
Level 2 — Planned & Tracked
Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.
- Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
- IT/cybersecurity personnel:
- A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to synchronize internal system clocks with an authoritative time source.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to synchronize internal system clocks with an authoritative time source.
Assessment Objectives
- MON-07.1_A01 an authoritative source with which to compare and synchronize internal system clocks is specified.
- MON-07.1_A02 internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
- MON-07.1_A03 system clocks are synchronized within and between systems and system components.
- MON-07.1_A04 the frequency at which to compare the internal system clocks with the authoritative time source is defined.
- MON-07.1_A05 the internal system clocks are synchronized with the authoritative time source when the time difference is greater than an organization-defined time period.
- MON-07.1_A06 time stamps are recorded for audit records that use Coordinated Universal Time (UTC), have a fixed local time offset from UTC, or include the local time offset as part of the time stamp.
Technology Recommendations
Micro/Small
- Secure Baseline Configurations (SBC)
Small
- Secure Baseline Configurations (SBC)
Medium
- Secure Baseline Configurations (SBC)
Large
- Secure Baseline Configurations (SBC)
Enterprise
- Secure Baseline Configurations (SBC)