Overview
The NIST RMF (Risk Management Framework) is a comprehensive set of guidelines and best practices developed by the National Institute of Standards and Technology (NIST) to manage and mitigate cybersecurity risks within organizations. It provides a structured and systematic approach for managing information security risks, assessing system vulnerabilities, and implementing appropriate security controls. Compliance with NIST RMF is crucial for organizations seeking to protect their systems and data from cybersecurity threats.
For more information, refer to the NIST RMF publication: https://csrc.nist.gov/projects/risk-management/about-rmf
Netsurion Solution for NIST RMF Compliance
Netsurion Managed XDR combines SIEM, log management, proactive threat hunting, and guided incident response to effectively meet the requirements outlined in NIST RMF compliance. With comprehensive monitoring, analysis, and reporting capabilities organizations can identify and manage their assets, establish access controls, protect resources, and respond promptly to incidents.
By leveraging Netsurion’s security solutions, organizations can enhance their cybersecurity posture, achieve NIST RMF compliance, and effectively manage information security risks. This helps protect systems and data from cyber threats, ensure regulatory compliance, and instill trust and confidence in stakeholders.
Using Netsurion Managed XDR to meet NIST RMF Requirements
Access Control
AC-2 – Account Management
The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and
removing accounts. The organization reviews information system accounts.
Netsurion Open XDR collects all account management activities which get generated in the system. Netsurion Open XDR reports provide easy and standard review of all account management activity and also Netsurion Open XDR alert can detect any changes to Account Management.
AC-3 – Access Enforcement
The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.
Netsurion Open XDR collects all access activities which get generated in the system. Netsurion Open XDR reports provide easy and independent review of access control settings and enforcement.
AC-5 – Separation of Duties
The information system enforces separation of duties through assigned access organizations.
Netsurion Open XDR collects information from production access control systems to help define role usage requirements, determine attempts to cross role boundaries, and changes to configurations that can affect separation of duties.
AC-6 – Least Privilege
The organization employs the concept of least privilege for specific duties and information systems (including specific ports, protocols, and services) in accordance with risk assessments as necessary to adequately mitigate risk to organizational operations, organizational assets, and individuals.
Netsurion Open XDR monitors activities of both users and systems to assist in determining necessary access, frivolous access, and resource needs of production systems. Review of activities such as network connections, application access, and system logons can help identify appropriate and inappropriate use according to policy.
AC-7 – Unsuccessful Login Attempts
The information system enforces a limit of specific number of consecutive invalid access attempts by a user within a certain time period. The information system automatically locks the account for a specified time period and delays next login prompt after a set timeframe has expired.
Netsurion Open XDR collects all authentication activities which get generated in the system. Netsurion Open XDR reports provide easy and standard review of unsuccessful login attempts to systems and applications. Netsurion Open XDR alerts can detect & report on multiple unsuccessful login attempts.
AC-17 – Remote Access
The organization authorizes, monitors, and controls all methods of remote access to the information system.
Netsurion Open XDR collects all account management activities which get generated in the system. Netsurion Open XDR reports provide easy and standard review of all account management activities.
AC-18 – Wireless Access Restriction
The organization:
- Establishes usage restrictions and implementation guidance for wireless technologies; and
- Authorizes, monitors, controls wireless access to the information system.
Netsurion Open XDR collects all access activities which get generated in the system. Netsurion Open XDR reports provide easy and independent review of access control settings and enforcement.
AC-19 – Access Control for Portable and Mobile Systems
The organization:
- Establishes usage restrictions and implementation guidance for organization-controlled portable and mobile devices; and
- Authorizes, monitors, and controls device access to organizational information systems.
Netsurion Open XDR entity and network definitions allow for correlation and event monitoring based on location relative to the organizational networks, to determine inbound, outbound, and local network traffic. Remote access and usage activities from mobile devices can be monitored by observation of the logs from authentication systems, security systems and production servers.
AC-20 – Personally Owned Information Systems/Use of External Information Systems
The organization establishes terms and conditions for authorized individuals to:
- Access the information system from an external information system; and
- Process, Store, and/or transmit organization-controlled information using an external information system.
Netsurion Open XDR collects remote access activities which get generated in the system. Netsurion Open XDR analysis facilities and reports provide easy and independent review of external access to information systems.
Audit and Accountability
AU-4 – Audit Storage Capacity
The organization allocates sufficient audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.
Netsurion Open XDR provides central, secure, and independent audit log storage Netsurion Open XDR high compression of the data (> 80%) ensures extensible storage of audit log data, ensures capacity will not be exceeded.
AU-5 – Response to Audit Processing Failures
The information system alerts designated organizational officials in the event of an audit processing failure.
Netsurion Open XDR provides support for NIST 800-53 control enhancement AU-5.
- By completely automating the process of centrally collecting and retaining all audit log messages. Netsurion Open XDR core functionality provides alerting for audit storage over utilization. EventTracker also provides direct support for NIST 800-53 control enhancement AU-5.
- By collecting and analyzing audit processing failure logs.
Netsurion Open XDR provide alerting on processing failure activity including audit log clearing, audit logging stoppage, and failed audit log writes. Netsurion Open XDR investigations, reports, and details provide evidence of audit processing failure activity including audit log clearing, audit logging stoppage, and failed audit log writes.
AU-6 – Audit Monitoring, Analysis, and Reporting
The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity,
investigates suspicious activity or suspected violations, report findings to appropriate officials, and takes necessary actions.
Netsurion Open XDR provides centralized monitoring, analysis, and reporting of audit activity across the entire IT infrastructure. Netsurion Open XDR automates the process of identifying high-risk activity and prioritizes based on asset risk. High-risk activity can be monitored in real-time or alerted on. Netsurion Open XDR reports provide easy and standard review of inappropriate, unusual, and suspicious activity.
AU-7 – Audit Reduction and Report Generation
The information system provides an audit reduction and report generation capability.
Netsurion Open XDR policy based log processing capabilities provide automatic audit log reduction. “Interesting” audit logs can be forwarded as events for immediate monitoring and/or alerting. “Uninteresting” audit logs can be filtered out and/or retained at an archive-only level. Netsurion Open XDR analysis and reporting facilities provide aggregated views of audit data providing further audit reduction. Netsurion Open XDR provides extensive report generation capabilities.
AU-8 – Time Stamps
The information system provides time stamps for use in audit record generation.
Netsurion Open XDR collects all user access events logs in real-time and retains the date and time stamp in which they occurred.
AU-9 – Protection of Audit Information
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
Netsurion Open XDR provides central and secure storage of all audit log data.
AU-11 – Audit Retention
The organization retains audit records for an appropriate time period to provide support for after the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
Netsurion Open XDR completely automates the process and requirement of collecting and retaining audit logs. Netsurion Open XDR retains logs in compressed archive files, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later in support of after-the-fact investigations
AU-13 – Monitoring for Information Disclosure
The organization monitors open source information for evidence of unauthorized ex-filtration or disclosure of organizational information.
Netsurion Open XDR provides support for NIST 800-53 control requirement AU-13 by utilizing the Netsurion Open XDR feature of the Windows System Monitor. Netsurion Open XDR independently monitors and logs the connection and disconnection of external data devices to the host computer where the Sensor is running. Also monitors and logs the transmission of files to an external storage device. It can be configured to protect against external data device connections by ejecting specified devices upon detection. External USB drive storage devices include Flash/RAM drives and CD/DVD drives.
Security Assessment and Authorization
CA-2 – Security Assessments
The organization conducts an assessment of the security controls in the information system periodically to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Netsurion Open XDR log analysis and reporting capabilities can be leveraged during a security assessment to help ensure implemented controls are functioning as intended and to potentially identify any weaknesses.
CA-3 – Information System Connections
The organization authorizes all connections from the information system to other information systems outside of the accreditation
boundary through the use of system connection agreements and monitors/controls the system connections on an ongoing basis.
Netsurion Open XDR can collect network device logs and also Netsurion’s Network Connection Monitoring feature will identify the network connections established.Netsurion Open XDR analysis & reporting capabilities can be used for reviewing network activity to ensure only authorized communications occur. Netsurion Open XDR alerts can be used for detecting unauthorized communications.
CA-7 – Continuous Monitoring
The organization monitors the security controls in the information system on an ongoing basis.
Netsurion Open XDR monitoring, analysis, and reporting capabilities provide for continuous monitoring of specific controls across the IT infrastructure. For instance, Netsurion Open XDR alerts can detect the use of restricted accounts.
Configuration Management
CM-3 – Configuration Change Control
The organization: Audits activities associated with configuration controlled changes to the system.
Netsurion Open XDR provides support for NIST 800-53 control requirement CM-3 by collecting and analyzing all configuration change logs. Netsurion Open XDR provide alerting on configuration/policy changes on critical systems. Netsurion Open XDR investigations, reports, and details provide evidence of configuration/policy changes.
CM-4 – Monitoring Configuration Changes
The organization monitors changes to the information system conducting security impact analyses to determine the effects of the changes.
Netsurion Open XDR monitoring capability can be used to detect the following changes to the file system:
- Additions
- Deletions
- Modifications
- Permissions
Netsurion Open XDR analysis & reporting capabilities can be used for monitoring configuration changes. Netsurion Open XDR alerting can be utilized to detect and notify of changes to specific configurations
CM-5 – Access Restrictions for Change
The organization:
- Approves individual access privileges and enforces physical and logical access restrictions associated with changes to the information system; and
- Generates, retains, and reviews record reflecting all such changes
Netsurion Open XDR collects all access activity and changes to access controls. Netsurion Open XDR reports provide easy and independent review of access control settings and enforcement.
CM-6 – Configuration Settings
The organization: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
Netsurion Open XDR provides support for NIST 800-53 control requirement CM-6 by collecting and analyzing all configuration change logs. Netsurion Open XDR provide alerting on configuration/policy changes on critical systems. Netsurion Open XDR investigations, reports, and details provide evidence of configuration/policy changes.
CM-11 – User Installed Software
The organization enforces explicit rules governing the installation of software by users.
Netsurion Open XDR monitoring, analysis, and reporting capabilities provide for continuous monitoring of specific controls across the IT infrastructure. For instance, Netsurion Open XDR alerts can detect the use of restricted accounts.
Contingency Planning
CP-9 – Information System Backup
The organization:
- Conducts backups of user-level information contained in the information system
- Conducts backups of system-level information contained in the information system
- Conducts backups of information system documentation including security related documentation
Netsurion Open XDR provides support for NIST 800-53 control requirement CP-9 by collecting and analyzing all software backup logs. Netsurion Open XDR provide alerting on backup failures. Netsurion Open XDR investigations, reports, and details provide evidence of backup failures/success.
Identification and Authentication
IA-2 – Identification and Authentication (Organizational Users)
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Netsurion Open XDR provides support for NIST 800-53 control requirements IA-2 by collecting and analyzing all authentication logs. Netsurion Open XDR provides alerting on authentication failures. Netsurion Open XDR investigations, reports, and details provide evidence of all account authentication activity.
IA-3 – Device Identification and Authentication
The information system uniquely identifies and authenticates before establishing a connection.
Netsurion Open XDR provides support for NIST 800-53 control requirements IA-3 by collecting and analyzing all authentication logs. Netsurion Open XDR provide alerting on vendor default account authentications. Netsurion Open XDR investigations, reports, and details provide evidence of all account authentication activity including those from vendor default accounts.
IA-8 – Identification and Authentication (Non-Organizational Users)
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
Netsurion Open XDR provides support for NIST 800-53 control requirements IA-8 by collecting and analyzing all authentication logs. Netsurion Open XDR provide alerting on vendor or 3rd party account authentication failures. Netsurion Open XDR investigations, reports, and details provide evidence of all account authentication activity including those from vendor or 3rd party accounts.
Incident Response
IR-4 – Incident Handling
The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
Netsurion Open XDR provides support for NIST 800-53 control enhancement IR-4 by detecting and notifying individuals of activity that may constitute an incident. Netsurion Open XDR analysis capabilities provide quick & easy analysis of activity to determine the incidents. Netsurion Open XDR provides correlation, pattern recognition, and behavioral analysis. Netsurion Open XDR integrated knowledge base provides information useful in responding to and resolving the incident.
IR-5 – Incident Monitoring
The organization tracks and documents information system security incidents.
Netsurion Open XDR provides direct support for NIST 800-53 control requirements IR-5 by providing security incident tracking and documentation through the Netsurion Open XDR management interface.
IR-6 – Incident Reporting
The organization promptly reports incident information to appropriate authorities.
Netsurion Open XDR notification capabilities can route alerts to the appropriate individual based on group membership or relationship to the impacted system. Netsurion Open XDR reports provide summary and detail level reporting of incident based alerts.
IR-7 – Incident Response Assistance
The organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents. The support resource is an integral part of the organization’s incident response capability.
Netsurion Open XDR integrated knowledge base provides information useful in responding to and resolving incidents.
Maintenance
MA-2 – Controlled Maintenance
The organization Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.
Netsurion Open XDR provides support for NIST 800-53 control requirement MA-2 by collecting and analyzing all error logs. Netsurion Open XDR provide alerting on critical maintenance errors. Netsurion Open XDR investigations, reports, and details provide evidence of critical errors, process shutdowns, and system shutdowns which occur after maintenance.
MA-4 – Remote Maintenance
The organization authorizes, monitors, and controls any remotely executed maintenance and diagnostic activities, if employed.
Netsurion Open XDR can identify maintenance related activity for analysis and/or reporting. EventTracker reports provide easy review of remotely executed maintenance activity.
MA-5 – Maintenance Personnel
The organization allows only authorized personnel to perform maintenance on the information system.
Netsurion Open XDR can identify maintenance related activity for analysis and/or reporting. Netsurion Open XDR reports provide easy review of maintenance activity.
Media Protection
MP-2 – Media Access
The organization restricts access to organization-defined types of digital and non-digital media to organization-defined list of authorized individuals using organization-defined security measures.
Netsurion Open XDR provides support for NIST 800-53 control requirement MP-2 by utilizing the Netsurion Open XDR feature of the Windows System Monitor. Netsurion Open XDR monitors and logs the connection and disconnection of external data devices to the host computer where the Sensor is running, also monitors and logs the transmission of files to an external storage device. Netsurion Open XDR can be configured to protect against external data device connections by ejecting specified devices upon detection. External USB drive storage devices include Flash/RAM drives and CD/DVD drives.
Physical Environmental Protection
PE-3 – Physical Access Control
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Netsurion Open XDR provides support for NIST 800-53 control requirement PE-3 by collecting log messages from physical access devices (i.e. Card Key) at all physical access points. Netsurion Open XDR provide alerting on suspicious physical access. Netsurion Open XDR investigations, reports, and tails provide evidence of physical access failures/successes.
PE-5 – Access Control for Output Devices
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
Netsurion Open XDR provides support for NIST 800-53 control requirement MP-2 by utilizing the Netsurion Open XDR feature of the Windows System Monitor. Netsurion Open XDR monitors and logs the connection and disconnection of external data devices to the host computer where the Sensor is running, also monitors and logs the transmission of files to an external storage device. Netsurion Open XDR can be configured to protect against external data device connections by ejecting specified devices upon detection. External USB drive storage devices include Flash/RAM drives and CD/DVD drives.
PE-6 – Monitoring Physical Access
The organization monitors physical access to the information system to detect and respond to physical security incidents.
Netsurion Open XDR can collect log messages from physical access devices (i.e. Card Key) for analysis and reporting.
Personal Security
PS-4 – Personnel Termination
The organization, upon termination of individual employment, terminates information system access, conducts exit interviews, retrieves all organizational information system related property, and provides appropriate personnel with access to official records created by the terminated employee that are stored on organizational information systems.
Netsurion Open XDR reports provide easy review of terminated personnel to ensure access rights have been removed. Netsurion Open XDR alerts can be used to detect usage of should-be terminated user accounts.
PS-5 – Personnel Transfer
The organization reviews information systems/facilities access authorizations when personnel are re-assigned or transferred to other positions within the organization and initiates appropriate actions.
Netsurion Open XDR reports provide easy review of transferred personnel to ensure access rights have been terminated and/or appropriately modified.
PS-7 – Third-Party Personnel Security
The organization Monitors provider compliance.
Netsurion Open XDR provides support for NIST 800-53 control requirement PS-7 by collecting both physical and logical access control log messages. Netsurion Open XDR investigations, reports, and details provide evidence of revocation of cyber/physical access including access revocation, account deletion/modification, account disabling, and account locking for 3rd parties.
Risk Assessment
RA-5 – Vulnerability Monitoring and Scanning
The organization:
- Scans for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported.
- Analyzes vulnerability scan reports and results from security control assessments.
Netsurion Open XDR ETVAS provides support for NIST 800-53 control requirement RA-5 by collecting vulnerability detection log messages. Netsurion Open XDR provide alerting on high risk vulnerabilities. Netsurion Open XDR investigations, reports, and details provide evidence of security vulnerabilities from vulnerability detection systems.
System and Communications Protection
SC-5 – Denial of Service Protection
The information system protects against or limits the effects of the following types of denial of service attacks (organization-defined list of types of denial of service attacks or reference to source for current list).
Netsurion Open XDR provides support for NIST 800-53 control requirement SC-5 by providing central collection and monitoring of security log messages. Netsurion Open XDR provide alerting on security events like any out of ordinary behavior in the environment. Netsurion Open XDR investigations, reports, and tails provide evidence of security events.
SC-7 – Boundary Protection
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.
Netsurion Open XDR can collect boundary device logs from routers, firewalls, VPN servers, etc. Netsurion Open XDR can alert on unauthorized or suspicious activity. Netsurion Open XDR reports provide a consolidated review of internal/external boundary activity and threats.
SC-15 – Collaborative Protection
The information system prohibits remote activation of collaborative computing mechanisms and provides an explicit indication of use to the local users.
Netsurion Open XDR will be able to identify report and/or alert on the initiation of specific collaborative computing activity.
SC-18 – Mobile Code
The organization:
- Establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously.
- Authorizes, monitors, and controls the use of mobile code within the information system.
Netsurion Open XDR will be able to identify report and/or alert on specific mobile code activity.
SC-19 – Voice over Internet Protocol
The organization:
- Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously.
- Authorizes, monitors, and controls the use of VoIP within the information system.
Netsurion Open XDR will be able to identify report and/or alert on specific VoIP activity.
SC-28 – Protection of Information at Rest
The information system protects the confidentiality and integrity of information at rest.
Netsurion Open XDR provides supplemental support for NIST 800-53 control requirement SC-28 by providing details of changes to information at rest. Netsurion Open XDR can be configured to monitor system file or directory activity, deletions, modification, and permission changes.
System and Information Integrity
SI-2 – Flaw Remediation
The organization identifies, reports, and corrects information system flaws.
Netsurion Open XDR provides support for NIST 800-53 control requirement SI-2 by collecting and analyzing all error logs. Netsurion Open XDR provide alerting on critical errors caused by flaws. Netsurion Open XDR investigations, reports, and details provide evidence of critical errors, process shutdowns, and system shutdowns caused by system flaws.
SI-3 – Malicious Code Protection
The organization:
- Employs malicious code protection mechanisms at information system entry and exit points and at workstations, servers, or
mobile computing devices on the network to detect and eradicate malicious code:- Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or
- Inserted through the exploitation of information system vulnerabilities;
- Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
- Configures malicious code protection mechanisms to:
- Perform periodic scans of the information system and real-time scans of files from external sources as the files are downloaded,
opened, or executed in accordance with organizational security policy - Block malicious code; quarantine malicious code; send alert to administrator in response to malicious code detection
- Perform periodic scans of the information system and real-time scans of files from external sources as the files are downloaded,
Netsurion Open XDR provides support for NIST 800-53 control requirement SI-3 by collecting log messages from antivirus software and other anti-malware tools. Netsurion Open XDR provide alerting on antivirus critical/error conditions, malware infections, and signature update failures. Netsurion Open XDR investigations, reports, and details provide evidence of antivirus activity, malware infections, and signature update failures/successes. Netsurion Open XDR feature of the Windows System Monitor. Netsurion Open XDR independently monitors and logs the connection and disconnection of external data devices to the host computer where the Agent is running. Also monitors and logs the transmission of files to an external storage device. It can be configured to protect against external data device connections by ejecting specified devices upon detection. External USB drive storage devices include Flash/RAM drives and CD/DVD drives.
SI-4 – Information System Monitoring
Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, audit record monitoring software, network monitoring software). Monitoring devices are strategically deployed within the information system to collect essential information. Monitoring devices are also deployed at ad hoc locations within the system to track specific transactions. Additionally, these devices are used to track the impact of security changes to the information system.
Netsurion Open XDR can collect logs from IDS/IPS systems, A/V systems, firewalls, and other security devices. Netsurion Open XDR provides central analysis and monitoring of intrusion related activity across the IT infrastructure. Netsurion Open XDR can correlate activity across user, origin host, impacted host, application and more. Netsurion Open XDR can be configured to identify known bad hosts and networks. Netsurion’s Personal Dashboard provides customized real-time monitoring of events and alerts. Netsurion’s Investigator provides deep forensic analysis of intrusion related activity. Netsurion Open XDR integrated knowledge base provides information and references useful in responding to and resolving intrusions.
SI-5 – Security Alerts and Advisories
The organization receives information system security alerts/ advisories on a regular basis, issue alerts/ advisories to appropriate personnel, and takes appropriate actions in response.
Netsurion Open XDR can alert on specific intrusion related activity. Users can be notified based on department or role. Netsurion Open XDR integrated knowledge base provides information and references useful in responding to and resolving intrusions.
SI-7 – Software and Information Integrity
The information system detects and protects against unauthorized changes to software and information.
Netsurion Open XDR monitoring capability can be used to detect the following changes to the file system:
- Additions
- Deletions
- Modifications
- Permissions
This capability can be used to detect unauthorized changes to software and information.
SI-8 – Spam Protection
The organization employs spam protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means.
Netsurion Open XDR provides support for NIST 800-53 control requirement SI-8 by collecting and analyzing SPAM logs. Netsurion Open XDR investigations, reports, and details provide evidence of SPAM protection activity.
SI-11 – Error Handling
The information system identifies potentially security-relevant error conditions.
Netsurion Open XDR provides support for NIST 800-53 control requirement SI-11 by collecting and analyzing all error logs. Netsurion Open XDR provide alerting on security related critical errors. Netsurion Open XDR investigations, reports, and details provide evidence of security related errors, process shutdowns, and system shutdowns.