NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-4(22)Unauthorized Network Services

Detect network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} ; and {{ insert: param, si-04.22_odp.02 }} when detected.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services.

Practitioner Notes

Detect unauthorized network services — software that is listening on network ports without approval, which could be backdoors or unauthorized applications.

Example 1: Run regular port scans of your internal network using Nmap or your vulnerability scanner. Compare results against your approved services baseline. Any new, unauthorized listening port triggers an investigation.

Example 2: Use Microsoft Defender for Endpoint to monitor listening services on all enrolled machines. The "Device discovery" feature identifies all network services, and you can alert on any service that is not in your approved software inventory.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status