There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations.  [SP 800-161] provides guidance on supply chain risk management.

Priority: High

Category:  Situational Awareness 

Services Associated with AWS:

  1. AWS Security Hub
  2. Amazon GuardDuty
  3. AWS Systems Manager
  4. AWS Config

Objective Evidence:

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation of centralized event log collection and review to maintain situational awareness
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing event log analysis and response roles
  • Administrative: supporting documentation of log reviews being performed
  • Technical: screen shot of groups and membership assignment
  • Technical: screen shot of logs from SIEM 

Possible Technology Considerations

  • Emerging Threats (ET) Intelligence Feed
  • Threat Intelligence Program (TIP)

What needs to be answered?

Does the company receive security alerts, advisories, and directives from reputable external organizations? Does the company disseminate this information to individuals with need-to-know in the company? Are alerts responded to in a timely manner? Are internal security alerts, advisories, and directives generated?

  • System Security Alert Monitoring Check
    Description: This check verifies that system security alerts and advisories from various sources, such as CISA, software vendors, subscription services, and industry ISACs, are regularly monitored. It ensures that organizations have mechanisms in place to receive and review these alerts in a timely manner.
  •  Response Action Execution Check
    Description: This check ensures that appropriate actions are taken in response to system security alerts and advisories. It verifies that relevant external organizations, such as mission/business partners, supply chain partners, service providers, and peer organizations, are promptly notified when necessary. It also ensures that internal response actions, such as applying patches, updating configurations, or initiating incident response procedures, are executed in a timely manner.

More Details:

Security alerts and industry advisories monitored by IT staff and changes made as needed.