NIST 800-53 CA-7 Mappings

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.

Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-02g, AC-02(07), AC-02(12)(a), AC-02(07)(b), AC-02(07)(c), AC-17(01), AT-04a, AU-13, AU-13(01), AU-13(02), CM-03f, CM-06d, CM-11c, IR-05, MA-02b, MA-03a, MA-04a, PE-03d, PE-06, PE-14b, PE-16, PE-20, PM-06, PM-23, PM-31, PS-07e, SA-09c, SR-04, SC-05(03)(b), SC-07a, SC-07(24)(b), SC-18b, SC-43b, and SI-04.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CA-7 Continuous Monitoring Protects T1001 Data Obfuscation
CA-7 Continuous Monitoring Protects T1001.001 Junk Data
CA-7 Continuous Monitoring Protects T1001.002 Steganography
CA-7 Continuous Monitoring Protects T1001.003 Protocol Impersonation
CA-7 Continuous Monitoring Protects T1003 OS Credential Dumping
CA-7 Continuous Monitoring Protects T1003.001 LSASS Memory
CA-7 Continuous Monitoring Protects T1003.002 Security Account Manager
CA-7 Continuous Monitoring Protects T1003.003 NTDS
CA-7 Continuous Monitoring Protects T1003.004 LSA Secrets
CA-7 Continuous Monitoring Protects T1003.005 Cached Domain Credentials
CA-7 Continuous Monitoring Protects T1003.006 DCSync
CA-7 Continuous Monitoring Protects T1003.007 Proc Filesystem
CA-7 Continuous Monitoring Protects T1003.008 /etc/passwd and /etc/shadow
CA-7 Continuous Monitoring Protects T1008 Fallback Channels
CA-7 Continuous Monitoring Protects T1021.002 SMB/Windows Admin Shares
CA-7 Continuous Monitoring Protects T1021.005 VNC
CA-7 Continuous Monitoring Protects T1029 Scheduled Transfer
CA-7 Continuous Monitoring Protects T1030 Data Transfer Size Limits
CA-7 Continuous Monitoring Protects T1036 Masquerading
CA-7 Continuous Monitoring Protects T1036.003 Rename System Utilities
CA-7 Continuous Monitoring Protects T1036.005 Match Legitimate Name or Location
CA-7 Continuous Monitoring Protects T1037 Boot or Logon Initialization Scripts
CA-7 Continuous Monitoring Protects T1037.002 Logon Script (Mac)
CA-7 Continuous Monitoring Protects T1037.003 Network Logon Script
CA-7 Continuous Monitoring Protects T1037.004 RC Scripts
CA-7 Continuous Monitoring Protects T1037.005 Startup Items
CA-7 Continuous Monitoring Protects T1041 Exfiltration Over C2 Channel
CA-7 Continuous Monitoring Protects T1046 Network Service Scanning
CA-7 Continuous Monitoring Protects T1048 Exfiltration Over Alternative Protocol
CA-7 Continuous Monitoring Protects T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
CA-7 Continuous Monitoring Protects T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
CA-7 Continuous Monitoring Protects T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
CA-7 Continuous Monitoring Protects T1053.006 Systemd Timers
CA-7 Continuous Monitoring Protects T1055.009 Proc Memory
CA-7 Continuous Monitoring Protects T1056.002 GUI Input Capture
CA-7 Continuous Monitoring Protects T1068 Exploitation for Privilege Escalation
CA-7 Continuous Monitoring Protects T1070 Indicator Removal on Host
CA-7 Continuous Monitoring Protects T1070.001 Clear Windows Event Logs
CA-7 Continuous Monitoring Protects T1070.002 Clear Linux or Mac System Logs
CA-7 Continuous Monitoring Protects T1070.003 Clear Command History
CA-7 Continuous Monitoring Protects T1071 Application Layer Protocol
CA-7 Continuous Monitoring Protects T1071.001 Web Protocols
CA-7 Continuous Monitoring Protects T1071.002 File Transfer Protocols
CA-7 Continuous Monitoring Protects T1071.003 Mail Protocols
CA-7 Continuous Monitoring Protects T1071.004 DNS
CA-7 Continuous Monitoring Protects T1072 Software Deployment Tools
CA-7 Continuous Monitoring Protects T1078 Valid Accounts
CA-7 Continuous Monitoring Protects T1078.001 Default Accounts
CA-7 Continuous Monitoring Protects T1078.003 Local Accounts
CA-7 Continuous Monitoring Protects T1078.004 Cloud Accounts
CA-7 Continuous Monitoring Protects T1080 Taint Shared Content
CA-7 Continuous Monitoring Protects T1090 Proxy
CA-7 Continuous Monitoring Protects T1090.001 Internal Proxy
CA-7 Continuous Monitoring Protects T1090.002 External Proxy
CA-7 Continuous Monitoring Protects T1090.003 Multi-hop Proxy
CA-7 Continuous Monitoring Protects T1095 Non-Application Layer Protocol
CA-7 Continuous Monitoring Protects T1102 Web Service
CA-7 Continuous Monitoring Protects T1102.001 Dead Drop Resolver
CA-7 Continuous Monitoring Protects T1102.002 Bidirectional Communication
CA-7 Continuous Monitoring Protects T1102.003 One-Way Communication
CA-7 Continuous Monitoring Protects T1104 Multi-Stage Channels
CA-7 Continuous Monitoring Protects T1105 Ingress Tool Transfer
CA-7 Continuous Monitoring Protects T1110 Brute Force
CA-7 Continuous Monitoring Protects T1110.001 Password Guessing
CA-7 Continuous Monitoring Protects T1110.002 Password Cracking
CA-7 Continuous Monitoring Protects T1110.003 Password Spraying
CA-7 Continuous Monitoring Protects T1110.004 Credential Stuffing
CA-7 Continuous Monitoring Protects T1111 Two-Factor Authentication Interception
CA-7 Continuous Monitoring Protects T1132 Data Encoding
CA-7 Continuous Monitoring Protects T1132.001 Standard Encoding
CA-7 Continuous Monitoring Protects T1132.002 Non-Standard Encoding
CA-7 Continuous Monitoring Protects T1176 Browser Extensions
CA-7 Continuous Monitoring Protects T1185 Man in the Browser
CA-7 Continuous Monitoring Protects T1187 Forced Authentication
CA-7 Continuous Monitoring Protects T1189 Drive-by Compromise
CA-7 Continuous Monitoring Protects T1190 Exploit Public-Facing Application
CA-7 Continuous Monitoring Protects T1195 Supply Chain Compromise
CA-7 Continuous Monitoring Protects T1195.001 Compromise Software Dependencies and Development Tools
CA-7 Continuous Monitoring Protects T1195.002 Compromise Software Supply Chain
CA-7 Continuous Monitoring Protects T1197 BITS Jobs
CA-7 Continuous Monitoring Protects T1201 Password Policy Discovery
CA-7 Continuous Monitoring Protects T1203 Exploitation for Client Execution
CA-7 Continuous Monitoring Protects T1204 User Execution
CA-7 Continuous Monitoring Protects T1204.001 Malicious Link
CA-7 Continuous Monitoring Protects T1204.002 Malicious File
CA-7 Continuous Monitoring Protects T1204.003 Malicious Image
CA-7 Continuous Monitoring Protects T1205 Traffic Signaling
CA-7 Continuous Monitoring Protects T1205.001 Port Knocking
CA-7 Continuous Monitoring Protects T1210 Exploitation of Remote Services
CA-7 Continuous Monitoring Protects T1211 Exploitation for Defense Evasion
CA-7 Continuous Monitoring Protects T1212 Exploitation for Credential Access
CA-7 Continuous Monitoring Protects T1213 Data from Information Repositories
CA-7 Continuous Monitoring Protects T1213.001 Confluence
CA-7 Continuous Monitoring Protects T1213.002 Sharepoint
CA-7 Continuous Monitoring Protects T1218 Signed Binary Proxy Execution
CA-7 Continuous Monitoring Protects T1218.002 Control Panel
CA-7 Continuous Monitoring Protects T1218.010 Regsvr32
CA-7 Continuous Monitoring Protects T1218.011 Rundll32
CA-7 Continuous Monitoring Protects T1218.012 Verclsid
CA-7 Continuous Monitoring Protects T1219 Remote Access Software
CA-7 Continuous Monitoring Protects T1221 Template Injection
CA-7 Continuous Monitoring Protects T1222 File and Directory Permissions Modification
CA-7 Continuous Monitoring Protects T1222.001 Windows File and Directory Permissions Modification
CA-7 Continuous Monitoring Protects T1222.002 Linux and Mac File and Directory Permissions Modification
CA-7 Continuous Monitoring Protects T1489 Service Stop
CA-7 Continuous Monitoring Protects T1498 Network Denial of Service
CA-7 Continuous Monitoring Protects T1498.001 Direct Network Flood
CA-7 Continuous Monitoring Protects T1498.002 Reflection Amplification
CA-7 Continuous Monitoring Protects T1499 Endpoint Denial of Service
CA-7 Continuous Monitoring Protects T1499.001 OS Exhaustion Flood
CA-7 Continuous Monitoring Protects T1499.002 Service Exhaustion Flood
CA-7 Continuous Monitoring Protects T1499.003 Application Exhaustion Flood
CA-7 Continuous Monitoring Protects T1499.004 Application or System Exploitation
CA-7 Continuous Monitoring Protects T1528 Steal Application Access Token
CA-7 Continuous Monitoring Protects T1530 Data from Cloud Storage Object
CA-7 Continuous Monitoring Protects T1537 Transfer Data to Cloud Account
CA-7 Continuous Monitoring Protects T1539 Steal Web Session Cookie
CA-7 Continuous Monitoring Protects T1542.004 ROMMONkit
CA-7 Continuous Monitoring Protects T1542.005 TFTP Boot
CA-7 Continuous Monitoring Protects T1543 Create or Modify System Process
CA-7 Continuous Monitoring Protects T1543.002 Systemd Service
CA-7 Continuous Monitoring Protects T1546.004 Unix Shell Configuration Modification
CA-7 Continuous Monitoring Protects T1546.013 PowerShell Profile
CA-7 Continuous Monitoring Protects T1547.003 Time Providers
CA-7 Continuous Monitoring Protects T1547.011 Plist Modification
CA-7 Continuous Monitoring Protects T1547.013 XDG Autostart Entries
CA-7 Continuous Monitoring Protects T1548 Abuse Elevation Control Mechanism
CA-7 Continuous Monitoring Protects T1548.003 Sudo and Sudo Caching
CA-7 Continuous Monitoring Protects T1550.003 Pass the Ticket
CA-7 Continuous Monitoring Protects T1552 Unsecured Credentials
CA-7 Continuous Monitoring Protects T1552.001 Credentials In Files
CA-7 Continuous Monitoring Protects T1552.002 Credentials in Registry
CA-7 Continuous Monitoring Protects T1552.004 Private Keys
CA-7 Continuous Monitoring Protects T1552.005 Cloud Instance Metadata API
CA-7 Continuous Monitoring Protects T1553.003 SIP and Trust Provider Hijacking
CA-7 Continuous Monitoring Protects T1555 Credentials from Password Stores
CA-7 Continuous Monitoring Protects T1555.001 Keychain
CA-7 Continuous Monitoring Protects T1555.002 Securityd Memory
CA-7 Continuous Monitoring Protects T1556 Modify Authentication Process
CA-7 Continuous Monitoring Protects T1556.001 Domain Controller Authentication
CA-7 Continuous Monitoring Protects T1557 Man-in-the-Middle
CA-7 Continuous Monitoring Protects T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
CA-7 Continuous Monitoring Protects T1557.002 ARP Cache Poisoning
CA-7 Continuous Monitoring Protects T1558 Steal or Forge Kerberos Tickets
CA-7 Continuous Monitoring Protects T1558.002 Silver Ticket
CA-7 Continuous Monitoring Protects T1558.003 Kerberoasting
CA-7 Continuous Monitoring Protects T1558.004 AS-REP Roasting
CA-7 Continuous Monitoring Protects T1562 Impair Defenses
CA-7 Continuous Monitoring Protects T1562.001 Disable or Modify Tools
CA-7 Continuous Monitoring Protects T1562.002 Disable Windows Event Logging
CA-7 Continuous Monitoring Protects T1562.004 Disable or Modify System Firewall
CA-7 Continuous Monitoring Protects T1562.006 Indicator Blocking
CA-7 Continuous Monitoring Protects T1563.001 SSH Hijacking
CA-7 Continuous Monitoring Protects T1564.004 NTFS File Attributes
CA-7 Continuous Monitoring Protects T1565 Data Manipulation
CA-7 Continuous Monitoring Protects T1565.001 Stored Data Manipulation
CA-7 Continuous Monitoring Protects T1565.003 Runtime Data Manipulation
CA-7 Continuous Monitoring Protects T1566 Phishing
CA-7 Continuous Monitoring Protects T1566.001 Spearphishing Attachment
CA-7 Continuous Monitoring Protects T1566.002 Spearphishing Link
CA-7 Continuous Monitoring Protects T1566.003 Spearphishing via Service
CA-7 Continuous Monitoring Protects T1568 Dynamic Resolution
CA-7 Continuous Monitoring Protects T1568.002 Domain Generation Algorithms
CA-7 Continuous Monitoring Protects T1569 System Services
CA-7 Continuous Monitoring Protects T1569.002 Service Execution
CA-7 Continuous Monitoring Protects T1570 Lateral Tool Transfer
CA-7 Continuous Monitoring Protects T1571 Non-Standard Port
CA-7 Continuous Monitoring Protects T1572 Protocol Tunneling
CA-7 Continuous Monitoring Protects T1573 Encrypted Channel
CA-7 Continuous Monitoring Protects T1573.001 Symmetric Cryptography
CA-7 Continuous Monitoring Protects T1573.002 Asymmetric Cryptography
CA-7 Continuous Monitoring Protects T1574 Hijack Execution Flow
CA-7 Continuous Monitoring Protects T1574.004 Dylib Hijacking
CA-7 Continuous Monitoring Protects T1574.007 Path Interception by PATH Environment Variable
CA-7 Continuous Monitoring Protects T1574.008 Path Interception by Search Order Hijacking
CA-7 Continuous Monitoring Protects T1574.009 Path Interception by Unquoted Path
CA-7 Continuous Monitoring Protects T1598 Phishing for Information
CA-7 Continuous Monitoring Protects T1598.001 Spearphishing Service
CA-7 Continuous Monitoring Protects T1598.002 Spearphishing Attachment
CA-7 Continuous Monitoring Protects T1598.003 Spearphishing Link
CA-7 Continuous Monitoring Protects T1599 Network Boundary Bridging
CA-7 Continuous Monitoring Protects T1599.001 Network Address Translation Traversal
CA-7 Continuous Monitoring Protects T1602 Data from Configuration Repository
CA-7 Continuous Monitoring Protects T1602.001 SNMP (MIB Dump)
CA-7 Continuous Monitoring Protects T1602.002 Network Device Configuration Dump