NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-4(4)Inbound and Outbound Communications Traffic

Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; Monitor inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for {{ insert: param, si-4.4_prm_2 }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

No related controls listed

Supplemental Guidance

Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components.

Practitioner Notes

Monitor both inbound and outbound network traffic for threats. Many organizations only watch incoming traffic, but outbound monitoring is critical for detecting data exfiltration and command-and-control communications.

Example 1: Configure your firewall to log all outbound traffic and send those logs to your SIEM. Create alerts for unusual outbound patterns — large data transfers to external IPs, connections to known C2 servers, or traffic to countries you do not do business with.

Example 2: Enable DNS logging and monitor DNS queries for indicators of compromise — queries to dynamic DNS providers, domains registered in the last 30 days (newly registered domains), or unusually long domain names that may indicate DNS tunneling.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status