DE.CM-06 External Service Provider Monitoring - NIST CSF 2.0 Checklist

DE.CM-06 requires organizations to external service provider activities and services are monitored to find potentially adverse events. This NIST CSF 2.0 control falls under the Detect (DE) function and the Continuous Monitoring category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: DE.CM-06
Title: External Service Provider Monitoring
Function: Detect (DE)
Category: Continuous Monitoring
Framework: NIST CSF 2.0

External service provider activities and services are monitored to find potentially adverse events.

External service provider activities and services are monitored to find potentially adverse events. Organizations must extend their detection capabilities to cover managed services and third-party integrations.

Why This Matters

Third-party service providers often have privileged access to organizational systems and data. Monitoring their activity ensures that compromised or malicious provider actions are detected promptly.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of DE.CM-06.

Collect and review logs from managed service provider activities
Monitor third-party remote access sessions in real time or near-real time
Require service providers to report security incidents within defined timeframes
Assess service provider security monitoring capabilities during due diligence
Include service provider monitoring in security operations center workflows

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with DE.CM-06 during an audit.

Service provider activity logs integrated into SIEM
Remote access monitoring tool configuration for third-party sessions
Incident notification requirements in service provider contracts
Service provider security assessment reports
SOC runbooks covering third-party activity monitoring

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with DE.CM-06.

Service provider activity logs are not collected or integrated into monitoring
Third-party remote access is not monitored or recorded
Incident notification timeframes are not specified in contracts

FAQ

What does DE.CM-06 require?

DE.CM-06 (External Service Provider Monitoring) requires that external service provider activities and services are monitored to find potentially adverse events. Organizations must extend their detection capabilities to cover managed services and third-party integrations. This control is part of the NIST CSF 2.0 Detect function under the Continuous Monitoring category.

How do I prove compliance with DE.CM-06?

To demonstrate compliance with DE.CM-06, prepare the following evidence: Service provider activity logs integrated into SIEM; Remote access monitoring tool configuration for third-party sessions; Incident notification requirements in service provider contracts. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment