DE.CM-01 Network Monitoring - NIST CSF 2.0 Checklist

DE.CM-01 requires organizations to networks and network services are monitored to find potentially adverse events. This NIST CSF 2.0 control falls under the Detect (DE) function and the Continuous Monitoring category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: DE.CM-01
Title: Network Monitoring
Function: Detect (DE)
Category: Continuous Monitoring
Framework: NIST CSF 2.0

Networks and network services are monitored to find potentially adverse events.

Networks and network services are monitored to find potentially adverse events. This includes monitoring network traffic, connections and flows for indicators of compromise and anomalous behavior.

Why This Matters

Attackers move laterally through networks after initial access. Without network monitoring, organizations cannot detect command-and-control traffic, data exfiltration or unauthorized lateral movement.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of DE.CM-01.

Deploy network intrusion detection or prevention systems at network boundaries
Monitor DNS queries for indicators of compromise and tunneling
Implement netflow or traffic analysis for internal network segments
Alert on connections to known malicious IP addresses and domains
Monitor for unauthorized network services and open ports
Review network monitoring alerts daily with documented triage procedures

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with DE.CM-01 during an audit.

Network IDS/IPS deployment architecture and rule sets
DNS monitoring tool configuration and sample alert output
Netflow collection and analysis tool documentation
Threat intelligence feed integration with network monitoring
Alert triage procedure documentation and sample triage logs

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with DE.CM-01.

Network monitoring covers only the perimeter with no visibility into east-west traffic
DNS monitoring is not implemented despite DNS being a common C2 channel
Alert volumes are too high and triage procedures are not documented

FAQ

What does DE.CM-01 require?

DE.CM-01 (Network Monitoring) requires that networks and network services are monitored to find potentially adverse events. This includes monitoring network traffic, connections and flows for indicators of compromise and anomalous behavior. This control is part of the NIST CSF 2.0 Detect function under the Continuous Monitoring category.

How do I prove compliance with DE.CM-01?

To demonstrate compliance with DE.CM-01, prepare the following evidence: Network IDS/IPS deployment architecture and rule sets; DNS monitoring tool configuration and sample alert output; Netflow collection and analysis tool documentation. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment