NIST 800-53 r5 · Controls catalogue · Family CA
CA-7Continuous Monitoring
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }}; Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness; Ongoing control assessments in accordance with the continuous monitoring strategy; Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; Correlation and analysis of information generated by control assessments and monitoring; Response actions to address results of the analysis of control assessment and monitoring information; and Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (208)
- T1001 Data Obfuscation Command And Control
- T1001.001 Junk Data Command And Control
- T1001.002 Steganography Command And Control
- T1001.003 Protocol or Service Impersonation Command And Control
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1008 Fallback Channels Command And Control
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.005 VNC Lateral Movement
- T1029 Scheduled Transfer Exfiltration
- T1030 Data Transfer Size Limits Exfiltration
- T1036 Masquerading Stealth
- T1036.003 Rename Legitimate Utilities Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.007 Double File Extension Stealth
- T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
- T1037.002 Login Hook Persistence, Privilege Escalation
- T1037.003 Network Logon Script Persistence, Privilege Escalation
- T1037.004 RC Scripts Persistence, Privilege Escalation
- T1037.005 Startup Items Persistence, Privilege Escalation
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1046 Network Service Discovery Discovery
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
- T1055.009 Proc Memory Stealth, Privilege Escalation
- T1056.002 GUI Input Capture Collection, Credential Access
- T1059 Command and Scripting Interpreter Execution
- T1059.005 Visual Basic Execution
- T1059.007 JavaScript Execution
- T1059.010 AutoHotKey & AutoIT Execution
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1070 Indicator Removal Stealth
- T1070.003 Clear Command History Stealth
- T1070.007 Clear Network Connection History and Configurations Stealth
- T1070.008 Clear Mailbox Data Stealth
- T1070.009 Clear Persistence Stealth
- T1071 Application Layer Protocol Command And Control
- T1071.001 Web Protocols Command And Control
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-693 | Protection Mechanism Failure | 476 | Ongoing control assessments and analysis of monitoring data enable timely detection and response when protection mechanisms fail. |
CWE-703 | Improper Check or Handling of Exceptional Conditions | 146 | Establishing and monitoring system metrics with correlation and response actions helps identify and address improper handling of exceptional conditions. |
CWE-778 | Insufficient Logging | 23 | Continuous monitoring requires establishing metrics, ongoing data collection, correlation, and analysis, directly mitigating insufficient logging by ensuring security-relevant events are captured and reviewed. |
CWE-390 | Detection of Error Condition Without Action | 14 | The control mandates response actions to address results from monitoring and assessments, preventing detection of error conditions without subsequent corrective action. |
CWE-392 | Missing Report of Error Condition | 11 | Reporting the security and privacy status to organizational officials ensures monitoring and assessment results are communicated rather than omitted. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||