NIST 800-53 r5 · Controls catalogue · Family CA
CA-7Continuous Monitoring
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }}; Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness; Ongoing control assessments in accordance with the continuous monitoring strategy; Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; Correlation and analysis of information generated by control assessments and monitoring; Response actions to address results of the analysis of control assessment and monitoring information; and Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (22)
- aws-config-cloudtrail-enabled CloudTrail is enabled in the account AWS::CloudTrail::Trail partial detect enforce
- aws-config-vpc-flow-logs-enabled VPC flow logs are enabled AWS::EC2::VPC partial detect enforce CIS §3.7Hub EC2.6
- aws-config-cloudwatch-alarm-action-check Critical CloudWatch alarms have at least one action AWS::CloudWatch::Alarm partial detect enforce
- aws-config-api-gw-execution-logging-enabled Api Gw Execution Logging Enabled AWS::ApiGateway::Stage partial detect enforce
- aws-config-autoscaling-group-elb-healthcheck-required Autoscaling Group Elb Healthcheck Required AWS::AutoScaling::AutoScalingGroup partial protect enforce
- aws-config-beanstalk-enhanced-health-reporting-enabled Beanstalk Enhanced Health Reporting Enabled AWS::ElasticBeanstalk::Environment partial protect enforce
- aws-config-cloud-trail-cloud-watch-logs-enabled Cloud Trail Cloud Watch Logs Enabled AWS::CloudTrail::Trail partial detect enforce
- aws-config-cloudtrail-s3-dataevents-enabled Cloudtrail S3 Dataevents Enabled AWS::CloudTrail::Trail partial detect enforce
- aws-config-dynamodb-throughput-limit-check Dynamodb Throughput Limit Check AWS::DynamoDB::Table partial protect enforce
- aws-config-elasticsearch-logs-to-cloudwatch Elasticsearch Logs To Cloudwatch AWS::OpenSearchService::Domain partial detect enforce
- aws-config-elb-logging-enabled Elb Logging Enabled AWS::ElasticLoadBalancing::LoadBalancer partial detect enforce
- aws-config-guardduty-enabled-centralized Guardduty Enabled Centralized AWS::GuardDuty::Detector partial detect enforce
- aws-config-lambda-dlq-check Lambda Dlq Check AWS::Lambda::Function partial protect enforce
- aws-config-multi-region-cloudtrail-enabled Multi Region Cloudtrail Enabled AWS::CloudTrail::Trail partial detect enforce CIS §3.1Hub CloudTrail.1
- aws-config-opensearch-logs-to-cloudwatch Opensearch Logs To Cloudwatch AWS::OpenSearchService::Domain partial detect enforce
- aws-config-rds-enhanced-monitoring-enabled Rds Enhanced Monitoring Enabled AWS::RDS::DBInstance partial detect enforce
- aws-config-rds-logging-enabled Rds Logging Enabled AWS::RDS::DBInstance partial detect enforce
- aws-config-redshift-cluster-configuration-check Redshift Cluster Configuration Check AWS::Redshift::Cluster partial protect enforce
- aws-config-s3-bucket-logging-enabled S3 Bucket Logging Enabled AWS::S3::Bucket partial detect enforce CIS §3.4Hub CloudTrail.7
- aws-config-s3-event-notifications-enabled S3 Event Notifications Enabled AWS::S3::Bucket partial protect enforce
- aws-config-securityhub-enabled Securityhub Enabled AWS::SecurityHub::Hub partial protect enforce
- aws-config-wafv2-logging-enabled Wafv2 Logging Enabled AWS::WAFv2::WebACL partial detect enforce
ATT&CK techniques this control mitigates (208)
- T1001 Data Obfuscation Command And Control
- T1001.001 Junk Data Command And Control
- T1001.002 Steganography Command And Control
- T1001.003 Protocol or Service Impersonation Command And Control
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1008 Fallback Channels Command And Control
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.005 VNC Lateral Movement
- T1029 Scheduled Transfer Exfiltration
- T1030 Data Transfer Size Limits Exfiltration
- T1036 Masquerading Stealth
- T1036.003 Rename Legitimate Utilities Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.007 Double File Extension Stealth
- T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
- T1037.002 Login Hook Persistence, Privilege Escalation
- T1037.003 Network Logon Script Persistence, Privilege Escalation
- T1037.004 RC Scripts Persistence, Privilege Escalation
- T1037.005 Startup Items Persistence, Privilege Escalation
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1046 Network Service Discovery Discovery
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
- T1055.009 Proc Memory Stealth, Privilege Escalation
- T1056.002 GUI Input Capture Collection, Credential Access
- T1059 Command and Scripting Interpreter Execution
- T1059.005 Visual Basic Execution
- T1059.007 JavaScript Execution
- T1059.010 AutoHotKey & AutoIT Execution
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1070 Indicator Removal Stealth
- T1070.003 Clear Command History Stealth
- T1070.007 Clear Network Connection History and Configurations Stealth
- T1070.008 Clear Mailbox Data Stealth
- T1070.009 Clear Persistence Stealth
- T1071 Application Layer Protocol Command And Control
- T1071.001 Web Protocols Command And Control
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-693 | Protection Mechanism Failure | 499 | Ongoing control assessments and analysis of monitoring data enable timely detection and response when protection mechanisms fail. |
CWE-703 | Improper Check or Handling of Exceptional Conditions | 147 | Establishing and monitoring system metrics with correlation and response actions helps identify and address improper handling of exceptional conditions. |
CWE-778 | Insufficient Logging | 24 | Continuous monitoring requires establishing metrics, ongoing data collection, correlation, and analysis, directly mitigating insufficient logging by ensuring security-relevant events are captured and reviewed. |
CWE-390 | Detection of Error Condition Without Action | 15 | The control mandates response actions to address results from monitoring and assessments, preventing detection of error conditions without subsequent corrective action. |
CWE-392 | Missing Report of Error Condition | 12 | Reporting the security and privacy status to organizational officials ensures monitoring and assessment results are communicated rather than omitted. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||