SI-4(22)

Requirement

(a) Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and
(b) [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected.

Discussion

Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services.

NIST 800-53A Assessment Guidance

ID	Assessment Objectives
SI-04(22)(a)	network services that have not been authorized or approved by <SI-04(22)_ODP[01] authorization or approval processes> are detected;
SI-04(22)(b)	<SI-04(22)_ODP[02] SELECTED PARAMETER VALUES> is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!