The detect function of the SFCS is visually represented as
such:
|
Function
|
Category
|
Subcategory
|
|
Detect (DE)
|
Anomalies and Events (AE)
|
DE.AE-1: Establish and manage a baseline of network
operations and expected data flows for Users and systems
|
|
DE.AE-2: Analyze detected Cybersecurity Events to
understand attack targets and methods
|
|
DE.AE-3: Collect and correlate Cybersecurity Event
data from multiple sources and sensors
|
|
DE.AE-4: Determine the impact of Cybersecurity
Events
|
|
DE.AE-5: Establish Incident alert thresholds
|
|
Security Continuous Monitoring (CM)
|
DE.CM-1: Monitor the network to detect potential
Cybersecurity Events
|
|
DE.CM-2: Monitor the physical environment to detect
potential Cybersecurity Events
|
|
DE.CM-3: Monitor personnel activity to detect
potential Cybersecurity Events
|
|
DE.CM-4: Detect malicious code
|
|
DE.CM-5: Detect unauthorized mobile code
|
|
DE.CM-6: Monitor external service provider activity
to detect potential Cybersecurity Events
|
|
DE.CM-7: Monitor for unauthorized personnel,
connections, devices, and software
|
|
DE.CM-8: Perform vulnerability scans
|
|
Detection Processes (DP)
|
DE.DP-1: Define roles and responsibilities for
detection to ensure accountability
|
|
DE.DP-2: Ensure that detection activities comply with
all applicable requirements
|
|
DE.DP-3: Test detection processes
|
|
DE.DP-4: Communicate event detection information to
stakeholders that should or must receive this information
|
|
DE.DP-5: Continuously improve detection
processes
|
(1) Anomalies
and Events. Each Agency shall develop policies and procedures that will
facilitate detection of anomalous activity and that allow the Agency to
understand the potential impact of events.
Such policies and procedures shall:
(a) Establish and manage a baseline of
network operations and expected data flows for Users and systems
(DE.AE-1).
(b) Detect and analyze
anomalous Cybersecurity Events to determine attack targets and methods
(DE.AE-2).
1. Monitor for unauthorized
wireless access points connected to the Agency internal network, and
immediately remove them upon detection.
2. Implement procedures to establish
accountability for accessing and modifying exempt, or confidential and exempt,
data stores to ensure inappropriate access or modification is
detectable.
(c) Collect
and correlate Cybersecurity Event data from multiple sources and sensors
(DE.AE-3).
(d) Determine the impact
of Cybersecurity Events (DE.AE-4).
(e) Establish incident alert thresholds
(DE.AE-5).
(2) Security
Continuous Monitoring. Each Agency shall determine the appropriate level of
monitoring that will occur regarding IT Resources necessary to identify
Cybersecurity Events and verify the effectiveness of protective measures. Such
activities shall include:
(a) Monitoring the
network to detect potential Cybersecurity Events (DE.CM-1).
(b) Monitoring for unauthorized IT Resource
connections to the internal Agency network.
(c) Monitoring the physical environment to
detect potential Cybersecurity Events (DE.CM-2).
(d) Monitoring user activity to detect
potential Cybersecurity Events (DE.CM-3).
(e) Monitoring for malicious code
(DE.CM-4).
(f) Monitoring for
unauthorized mobile code (DE.CM-5).
(g) Monitoring external service provider
activity to detect potential Cybersecurity Events (DE.CM-6).
(h) Monitoring for unauthorized personnel,
connections, devices, and software (DE.CM-7).
(i) Performing vulnerability scans (DE.CM-8).
These shall be a part of the System Development Life Cycle
(SDLC).
(3) Detection
Processes. Each Agency shall maintain and test detection processes and
procedures to ensure awareness of anomalous events. These procedures shall be
based on assigned risk and include the following:
(a) Defining roles and responsibilities for
detection to ensure accountability (DE.DP-1).
(b) Ensuring that detection activities comply
with all applicable requirements (DE.DP-2).
(c) Testing detection processes
(DE.DP-3).
(d) Communicating event
detection information to Stakeholders that should or must receive this
information (DE.DP-4).
(e)
Continuously improving detection processes
(DE.DP-5).
