NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-4(23)Host-based Devices

Implement the following host-based monitoring mechanisms at {{ insert: param, si-04.23_odp.02 }}: {{ insert: param, si-04.23_odp.01 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Host-based monitoring collects information about the host (or system in which it resides). System components in which host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors.

Practitioner Notes

Deploy host-based monitoring on individual devices — not just network-level monitoring — to detect threats that do not generate network traffic.

Example 1: Deploy Sysmon on all Windows machines to capture detailed process creation, file creation, registry modification, and network connection events. Forward Sysmon logs to your SIEM for analysis. Sysmon captures activity that standard Windows event logs miss.

Example 2: Use an EDR solution (CrowdStrike, Defender for Endpoint) on every server and workstation. The EDR agent monitors file system changes, process behavior, registry modifications, and memory activity directly on the host — catching threats that network monitoring cannot see.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status