Navigate

CM-8(3)

CM-8(3): Automated Unauthorized Component Detection

(a): Detect the presence of unauthorized hardware, software, and firmware components within the system using [one of ] [frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;] ; and

(b): Take the following actions when unauthorized components are detected: [one or more of "disable network access by unauthorized components"/"isolate unauthorized components"/"notify {{ insert: param, cm-08.03_odp.06 }} "].

Supplemental

Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as "sandboxing."

CIA Levels
Confidentiality	unknown
Integrity	low
Availability	unknown

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-8(3).

Control	Description
AC-19	a: Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and b: Authorize the connection of mobile devices to organizational systems.
CA-7	Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a: Establishing the following system-level metrics to be monitored: [system-level metrics to be monitored are defined;]; b: Establishing [frequencies at which to monitor control effectiveness are defined;] for monitoring and [frequencies at which to assess control effectiveness are defined;] for assessment of control effectiveness; c: Ongoing control assessments in accordance with the continuous monitoring strategy; d: Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e: Correlation and analysis of information generated by control assessments and monitoring; f: Response actions to address results of the analysis of control assessment and monitoring information; and g: Reporting the security and privacy status of the system to [one of ] [one of ].
RA-5	a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported; b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyze vulnerability scan reports and results from vulnerability monitoring; d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk; e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
SC-3	Isolate security functions from nonsecurity functions.
SC-39	Maintain a separate execution domain for each executing system process.
SC-44	Employ a detonation chamber capability within [the system, system component, or location where a detonation chamber capability is to be employed is defined;].
SI-3	a: Implement [one or more of "signature-based"/"non-signature-based"] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c: Configure malicious code protection mechanisms to: 1: Perform periodic scans of the system [the frequency at which malicious code protection mechanisms perform scans is defined;] and real-time scans of files from external sources at [one or more of "endpoint"/"network entry and exit points"] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2: [one or more of "block malicious code"/"quarantine malicious code"/"take {{ insert: param, si-03_odp.05 }} "] ; and send alert to [personnel or roles to be alerted when malicious code is detected is/are defined;] in response to malicious code detection; and d: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].
SI-7	a: Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [one of ] ; and b: Take the following actions when unauthorized changes to the software, firmware, and information are detected: [one of ].

Enhancements

The controls below (if any) add on to the requirements of CM-8(3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-8(3).

CCI	Definition
CCI-000415	Defines the frequency of employing automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the system.
CCI-000416	Detect the presence of unauthorized hardware, software, and firmware components within the system using organization-defined automated mechanisms, on an organization-defined frequency.
CCI-001783	Defines the personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the system.
CCI-001784	When unauthorized hardware, software, and firmware components are detected within the system, the organization takes action to disable network access by such components, isolates the components, and/or notifies organization-defined personnel or roles.
CCI-003969	Defines the automated mechanisms for detecting the presence of unauthorized hardware, software, and firmware components within the system.