NIST 800-171 Control 3.14.6: Security Function Monitoring
Security function monitoring is your organization's early warning system for network-based attacks. NIST 800-171 control 3.14.6 requires continuous monitoring of inbound and outbound communications traffic to detect attacks and potential attack indicators before they cause harm. Without visibility into what's crossing your network perimeter, you're flying blind.
What this means
Control 3.14.6 mandates that you establish and maintain monitoring capabilities across your organizational systems to observe communications traffic in real time. This includes both inbound traffic entering your network and outbound traffic leaving it. The goal is early detection of attacks, malicious activity, and suspicious patterns that indicate a breach attempt or compromise. Monitoring must be continuous and alert-driven, not periodic or manual.
How to comply
- 1.Deploy network monitoring tools (IDS/IPS, packet analyzers, or SIEM) that capture and analyze inbound and outbound traffic
- 2.Configure alerts for known attack signatures, suspicious protocols, unusual port activity, and policy violations
- 3.Establish baseline traffic profiles for your systems to identify anomalies quickly
- 4.Log all monitored events with timestamps and retain logs per your retention policy
- 5.Review monitoring data regularly and investigate alerts according to a documented incident response plan
- 6.Integrate monitoring outputs into your SIEM or centralized logging system for correlation and analysis
- 7.Document your monitoring architecture, tools, detection rules, and alert thresholds
Evidence auditors look for
- Network monitoring tool configuration screenshots showing active IDS/IPS rules
- Sample alert logs demonstrating detection of suspicious traffic patterns
- Baseline traffic analysis reports used to establish normal behavior
- Incident response logs showing investigation of detected alerts
- SIEM dashboards displaying inbound and outbound traffic analysis
- Monitoring policy or procedure document describing traffic inspection methods
- Alert tuning records showing refinement of detection rules to reduce false positives
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates continuous traffic monitoring configuration, centralizes alert collection from your network tools, and generates monitoring evidence reports for 3.14.6 audits—eliminating manual log collection and reducing detection gaps.
See how GRCWatch handles this control automatically
Start free trial