SI-4(22)

Requirement
1. Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and
2. [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected.

Discussion

Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; documented authorization/approval of network services; notifications or alerts of unauthorized network services; system monitoring logs or records; system audit records; system security plan; other relevant documents or records].

Interview

[SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system].

Test

[SELECT FROM: Organizational processes for system monitoring; mechanisms supporting and/or implementing a system monitoring capability; mechanisms for auditing network services; mechanisms for providing alerts].

ID	Assessment Objectives
SI-04(22)(a)	network services that have not been authorized or approved by <SI-04(22)_ODP[01] authorization or approval processes> are detected;
SI-04(22)(b)	<SI-04(22)_ODP[02] SELECTED PARAMETER VALUES> is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!