NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-4(11)Analyze Communications Traffic Anomalies

Analyze outbound communications traffic at the external interfaces to the system and selected {{ insert: param, si-04.11_odp }} to discover anomalies.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organization-defined interior points include subnetworks and subsystems. Anomalies within organizational systems include large file transfers, long-time persistent connections, attempts to access information from unexpected locations, the use of unusual protocols and ports, the use of unmonitored network protocols (e.g., IPv6 usage during IPv4 transition), and attempted communications with suspected malicious external addresses.

Practitioner Notes

Analyze communications traffic patterns — not just content — for anomalies that could indicate an attack. Even encrypted traffic has patterns (volume, timing, destinations) that can reveal threats.

Example 1: Use NetFlow analysis (SolarWinds NTA, Cisco Stealthwatch) to baseline normal traffic patterns and alert on anomalies. A workstation that suddenly starts communicating with hundreds of internal hosts might be performing reconnaissance or spreading malware.

Example 2: Monitor for beaconing patterns in your firewall logs. Command-and-control malware often "phones home" at regular intervals. Look for connections to the same external IP at suspiciously consistent time intervals — this is a strong indicator of compromise.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status