STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

SI-4

System and Information IntegrityRev 5organization

System Monitoring

Baselines:LowModerateHigh

Control Statement

a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: monitoring objectives] ; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: system monitoring information] to [Assignment: personnel or roles] [Selection: organization-defined value].

Supplemental Guidance

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Related Controls (39)

AC-2AC-3AC-4AC-8AC-17AU-2AU-6AU-7AU-9AU-12AU-13AU-14CA-7CM-3CM-6CM-8CM-11IA-10IR-4MA-3MA-4

CCI Identifiers (22)

CCI-001257Adjust the level of system monitoring activity when there is a change in increased risk to organizational operations and assets, individuals, other organizations, or the Nation.CCI-001258Obtain legal opinion with regard to system monitoring activities.CCI-002647The organization protects information obtained from intrusion-monitoring tools from unauthorized access.CCI-002641Monitor the system to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives.CCI-002642Monitor the system to detect unauthorized local connections.CCI-002643Monitor the system to detect unauthorized network connections.CCI-002644Monitor the system to detect unauthorized remote connections.CCI-001252The organization monitors events on the information system in accordance with organization-defined monitoring objectives and detects information system attacks.

Linked STIG Checks (5)

Across 2 STIGs. Click to expand.

PL-9
PM-12
RA-5
RA-10
SC-5
SC-7
SC-18
SC-26
SC-31
SC-35
SC-36
SC-37
SC-43
SI-3
SI-6
SI-7
SR-9
SR-10
CCI-001255
Invoke internal monitoring capabilities or deploy monitoring devices strategically within the system to collect organization-determined essential information.
CCI-001256Invoke internal monitoring capabilities or deploy monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization.
CCI-002645Defines the techniques and methods to be used to identify unauthorized use of the system.
CCI-002646Identify unauthorized use of the system through organization-defined techniques and methods.
CCI-002653The organization provides organization-defined information system monitoring information to organization-defined personnel or roles as needed or per organization-defined frequency.deprecated
CCI-002654Provide organization-defined system monitoring information to organization-defined personnel or roles as needed, and/or per organization-defined frequency.
CCI-001253Defines the objectives of monitoring for attacks and indicators of potential attacks on the system.
CCI-001254The organization identifies unauthorized use of the information system.
CCI-002648The organization protects information obtained from intrusion-monitoring tools from unauthorized modification.
CCI-002649The organization protects information obtained from intrusion-monitoring tools from unauthorized deletion.
CCI-002650Defines the system monitoring information that is to be provided the organization-defined personnel or roles.
CCI-002651Defines the personnel or roles that are to be provided organization-defined system monitoring information.
CCI-002652Defines the frequency at which the organization will provide the organization-defined system monitoring information to organization-defined personnel or roles.
CCI-004967Analyze detected events and anomalies.