3.14.6 — Monitor for attacks | NIST 800-171 Control

You watch systems and traffic to detect attacks and indicators.

What it actually means

Active monitoring for attacks — inbound and outbound traffic and system activity — typically EDR plus network monitoring/IDS feeding your log review (3.3.5). 'Monitor outbound' matters: it's how you catch data exfiltration and beaconing.

Pass or fail — an assessor needs a "yes" to each

Inbound and outbound traffic + system activity are monitored.
Detection feeds a review/response process.
Indicators of attack are surfaced.

What to have ready

EDR + network monitoring/IDS configuration
Alerting + review process
Sample detections

Where teams trip up

Monitoring inbound only, ignoring outbound/exfil
Alerts nobody reviews
No network-level visibility

See where this control puts your score

Run all 110 requirements free in about 10 minutes.

Calculate your SPRS score →

Connected requirements

3.3.5 — Correlate + review the signals 3.14.7 — Identify unauthorized use

← Back to the Control Library