NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-7(7)Integration of Detection and Response

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, si-07.07_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges.

Practitioner Notes

Integrate integrity detection with your incident response process so that integrity violations automatically trigger investigation and containment.

Example 1: Configure your SIEM so that file integrity alerts automatically create high-priority incident tickets in your ITSM tool (ServiceNow, Jira). The incident workflow includes steps for investigation, containment, remediation, and root cause analysis.

Example 2: In Microsoft Defender for Endpoint, integrity violations trigger automated investigation. The system collects forensic evidence, identifies the attack chain, and recommends or automatically takes remediation actions like quarantining the file or isolating the machine.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status