Navigate

PE-6(2)

PE-6(2): Automated Intrusion Recognition and Responses

Recognize [classes or types of intrusions to be recognized by automated mechanisms are defined;] and initiate [response actions to be initiated by automated mechanisms when organization-defined classes or types of intrusions are recognized are defined;] using [automated mechanisms used to recognize classes or types of intrusions and initiate response actions (defined in [PE-06(02)_ODP](#pe-06.02_odp.02)) are defined;].

Supplemental

Response actions can include notifying selected organizational personnel or law enforcement personnel. Automated mechanisms implemented to initiate response actions include system alert notifications, email and text messages, and activating door locking mechanisms. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide integrated threat coverage for the organization.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
DAF Baseline, Int-A, Int-B, Int-C, NC3

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to PE-6(2).

Control	Description
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].

Control

Description

SI-4

a: Monitor the system to detect:
- 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and
- 2: Unauthorized local, network, and remote connections;

b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;];

c: Invoke internal monitoring capabilities or deploy monitoring devices:
- 1: Strategically within the system to collect organization-determined essential information; and
- 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization;

d: Analyze detected events and anomalies;

e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

f: Obtain legal opinion regarding system monitoring activities; and

g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].

Enhancements

The controls below (if any) add on to the requirements of PE-6(2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to PE-6(2).

CCI	Definition
CCI-002942	Recognize organization-defined classes or types of intrusions, using organization-defined automated mechanisms.
CCI-002943	Defines the classes or types of intrusions to recognize using automated mechanisms.
CCI-002944	Initiate organization-defined response actions to organization-defined classes or types of intrusions, using organization-defined automated mechanisms.
CCI-002945	Defines the response actions to initiate when organization-defined classes or types of intrusions are recognized.
CCI-004248	Defines the automated mechanisms for recognizing organization-defined classes or types of intrusions and initiating organization-defined response actions.