GRCWatch
Sign inStart free trial

NIST DE.CM-6: Service Provider Activity Monitoring

Your vendors and service providers have access to critical systems—but most SMBs lack visibility into their activities. NIST DE.CM-6 requires continuous monitoring of external service provider behavior to catch suspicious activity before it becomes a breach. Without this control, you're flying blind on third-party risk.

What this means

Service Provider Activity Monitoring requires your organization to establish visibility and detection capabilities for external service provider actions within your environment. This means implementing logging, alerting, and analysis mechanisms to identify anomalous or unauthorized activities from vendors, contractors, and third-party integrations. The goal is early detection of potential cybersecurity incidents originating from or involving external parties who have system access.

How to comply

  1. 1.Inventory all external service providers with system or data access, including cloud vendors, managed service providers, and API integrations
  2. 2.Implement logging for all service provider activities, including authentication, data access, configuration changes, and network connections
  3. 3.Configure real-time alerts for suspicious patterns such as unusual access times, bulk data downloads, or access from unexpected locations
  4. 4.Establish baseline behavior profiles for each service provider to detect deviations from normal activity
  5. 5.Review service provider activity logs at least weekly, or daily for critical providers
  6. 6.Document monitoring procedures and assign accountability for review and incident escalation
  7. 7.Include service provider activity monitoring requirements in vendor contracts and service level agreements
  8. 8.Test detection capabilities quarterly to ensure alerts are functioning and timely

Evidence auditors look for

  • Service provider access logs showing timestamps, activities, and data accessed
  • Configured monitoring dashboards or SIEM rules specific to service provider accounts
  • Alert configurations with thresholds for anomalous activity (e.g., access outside business hours)
  • Weekly or daily activity review reports with documented findings
  • Vendor contracts stating monitoring obligations and acceptable use policies
  • Incident response records showing service provider activity investigations
  • Baseline behavior documentation for each critical service provider
  • User access reviews confirming service provider accounts remain current and authorized

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically ingests and normalizes service provider activity logs from your cloud platforms and integrations, then flags suspicious patterns in real-time—eliminating manual log review and cutting the time to detect vendor-originated threats from weeks to minutes.

See how GRCWatch handles this control automatically

Start free trial

Related controls

DE.CM-1 — Network Traffic MonitoringDE.CM-3 — Personnel Activity MonitoringDE.RM-3 — Vendor Risk AssessmentPR.AC-4 — Service Provider Access ManagementRS.AN-1 — Incident Event Characterization