Access Control

Define and document the types of accounts allowed and specifically prohibited for use within the system; Assign account managers; Require [organization-defined prerequisites and criteria] for group and role membership; Specify authorized users of the system, group and role membership, and access authorizations (i.e., privileges) and [organization-defined attributes] for each account; Require approvals by [organization-defined personnel or roles] for requests to create accounts; Create, enable, modify, disable, and remove accounts in accordance with [organization-defined policy, procedures, prerequisites, and criteria]; Monitor the use of accounts; Notify account managers and [organization-defined personnel or roles] within [organization-defined time period] when accounts are no longer required, when users are terminated or transferred, and when system usage or need-to-know changes for an individual; Authorize access to the system based on a valid access authorization, intended system usage, and other attributes as required by the organization or associated mission and business functions.

Local and directory user management lets administrators create, modify, and remove accounts with scoped roles and policy enforcement.

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Role-based access control for console actions (who can deploy patches/software/scripts, initiate remote control, manage policies); audit logs for privileged actions.

Identify and document [organization-defined duties of individuals requiring separation]; and Define system access authorizations to support separation of duties.

The system provides predefined, non-overlapping roles such as Administrator, Technician, Auditor, IT Asset Manager, and Patch Manager. For example, assigning an individual to the “Auditor” role explicitly restricts their capabilities to read-only views of software inventory and compliance reports; they possess zero authority to deploy software or modify configurations. Similarly, an “IT Asset Manager” is confined to hardware/software lifecycle tracking, separated entirely from vulnerability remediation workflows.

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Least-privilege enforcement through granular role permissions and limiting scopes/targets for deployments and remote actions.

Enforce a limit of [organization-defined number] consecutive invalid logon attempts by a user during a [organization-defined time period]; and Automatically [lock the account or node for an organization-defined time period, lock the account or node until released by an administrator, delay next logon prompt per organization-defined delay algorithm] when the maximum number of unsuccessful attempts is exceeded.

Custom scripts deployed via Endpoint Central can enforce logon attempt limits and lockout policies.

Display [organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: Users are accessing a U.S. Government system; System usage may be monitored, recorded, and subject to audit; Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and Use of the system indicates consent to monitoring and recording.

Endpoint Central's Legal Notice configuration enables you to display important announcements and legal notices throughout the enterprise. The configured message will be displayed whenever the user presses ctrl+alt+del to login.

Limit the number of concurrent sessions for each [organization-defined account and/or account type] to [organization-defined number].

Supported via Identity Integration? - By leveraging Single Sign-On (SSO) integrations via SAML authentication, or through direct integration with identity portals like ADSelfService Plus and Identity360, administrators can enforce strict “Deny Concurrent Logins” policies.

Prevent further access to the system by [initiating a device lock after organization-defined time period of inactivity, requiring the user to initiate a device lock before leaving the system unattended]; and Retain the device lock until the user reestablishes access using established identification and authentication procedures.

Force the screen to sleep or hibernate after a specified duration of inactivity with Endpoint Central's power management configuration. You can also configure whether the password should be required after sleep or not.

Automatically terminate a user session after [organization-defined conditions or trigger events requiring session disconnect].

Administrators can configure the inactivity session timeout (i.e., the time after which an idle user session is automatically logged out).

Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and Authorize each type of remote access to the system prior to allowing such connections.

Remote Control module provides remote sessions to endpoints with configurable permissions and session/audit logging.

Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and Authorize each type of wireless access to the system prior to allowing such connections.

MDM profiles can deploy/manage Wi‐Fi configurations and related compliance; configuration templates can help enforce endpoint wireless-related settings where applicable.

Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and Authorize the connection of mobile devices to organizational systems.

Prevent unauthorized mobile devices from connecting to your organization's network with Endpoint Central's SCEP certificate distribution feature.

Deploy profiles to all mobile devices based on their platform to restrict mobile device usage including anonymous activities on them.

[Establish organization-defined terms and conditions, identify organization-defined controls asserted], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: Access the system from external systems; and Process, store, or transmit organization-controlled information using external systems; or Prohibit the use of [organization-defined types of external systems].

Endpoint Central's Device Control Plus feature provides features to restrict the usage of USB devices. By assigning strict device policies using a device control solution, you can instantly identify the devices connected to your endpoints.

Audit and Accountability

Identify the types of events that the system is capable of logging in support of the audit function: [organization-defined event types that the system is capable of logging]; Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; Specify the following event types for logging within the system: [organization-defined event types (subset of the event types defined in AU-2a) along with the frequency of (or situation requiring) logging for each identified event type]; Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and Review and update the event types selected for logging [organization-defined frequency].

Endpoint Central collects and centralizes event logs and audit trails, with configurable logging for key activities.

Ensure that audit records contain information that establishes the following: What type of event occurred; When the event occurred; Where the event occurred; Source of the event; Outcome of the event; and Identity of any individuals, subjects, or objects/entities associated with the event.

Audit records include actor and action metadata for console operations and deployments; supports traceability of administrative activity.

Allocate audit log storage capacity to accommodate [organization-defined audit log retention requirements].

Audit/log retention and storage sizing managed on the Endpoint Central server; supports maintaining required volume of audit records.

We can maintain upto maximum of 2 years audit logs.

Alert [organization-defined personnel or roles] within [organization-defined time period] in the event of an audit logging process failure; and Take the following additional actions: [organization-defined additional actions].

While the UEM console generates logs, the enterprise response to logging failures is handled via integration with Security Information and Event Management (SIEM) and log management solutions within the same vendor ecosystem, specifically EventLog Analyzer and Log360.

Review and analyze system audit records [organization-defined frequency] for indications of [organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; Report findings to [organization-defined personnel or roles]; and Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

Administrators can use detailed audit logs and built-in reports to review logged events for security analysis.

Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and Does not alter the original content or time ordering of audit records.

Administrators can generate targeted reports—such as High-Risk Software Audits, User Logon Reports, Port Audits, and detailed USB device connection histories—that extract only the relevant events of interest.

Use internal system clocks to generate time stamps for audit records; and Record time stamps for audit records that meet [organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

Time-stamped job histories and audit logs for patch/software/config deployments and remote actions.

Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and Alert [organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information.

RBAC restricts who can view/export audit logs and administrative records; supports limiting audit data access within the console.

Retain audit records for [organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

Configurable retention for logs/reports and historical job/deployment data supports audit retention requirements.

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [organization-defined system components]; Allow [organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

Endpoint Central generates audit logs for administrative and operational actions across modules.

Provide and implement the capability for [organization-defined users or roles] to [record, view, hear, log] the content of a user session under [organization-defined circumstances]; and Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Remote control session records and audit logs provide session-level accountability for remote endpoint actions.

Assessment, Authorization, and Monitoring

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing the following system-level metrics to be monitored: [organization-defined system-level metrics]; Establishing [organization-defined frequencies] for monitoring and [organization-defined frequencies] for assessment of control effectiveness; Ongoing control assessments in accordance with the continuous monitoring strategy; Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; Correlation and analysis of information generated by control assessments and monitoring; Response actions to address results of the analysis of control assessment and monitoring information; and Reporting the security and privacy status of the system to [organization-defined personnel or roles] [organization-defined frequency].

Compliance and posture dashboards/reports for patch compliance, configuration compliance, encryption status, and device compliance provide ongoing monitoring signals.

Configuration Management

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and Review and update the baseline configuration of the system: [organization-defined frequency]; When required due to [organization-defined circumstances]; and When system components are installed or upgraded.

Endpoint Central can maintain an inventory of organizational systems, including hardware and software. You can deploy a baseline configuration to systems using Endpoint Central.

Determine and document the types of changes to the system that are configuration-controlled; Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; Document configuration change decisions associated with the system; Implement approved configuration-controlled changes to the system; Retain records of configuration-controlled changes to the system for [organization-defined time period]; Monitor and review activities associated with configuration-controlled changes to the system; and Coordinate and provide oversight for configuration change control activities through [organization-defined configuration change control element] that convenes [organization-defined frequency and/or when organization-defined configuration change conditions].

Endpoint Central's Vulnerability Manager Plus feature periodically scans systems to identify any breaches of security misconfigurations and remediate them in a single click. All hardware and software changes are tracked in a timely manner. Endpoint Central also tracks patches and software updates. You can remediate those changes by deploying configurations.

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

Using the 'Test and Approve' feature under Patch Management provided by Endpoint Central enables you to view the compatibility of the patch update with the systems in the network prior deployment of the patches. Endpoint Central provides the feature test deployment for specific targets for other modules like configurations and software deployment.

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

Enforce logical restrictions catering to your needs using the various User Configurations settings found under Endpoint Central's configuration module.

RBAC restricts who can change configurations, deploy OS images, push software/scripts, and approve patch deployments; actions are auditable.

Configure the system to provide only [organization-defined mission essential capabilities]; and Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

Endpoint Central's Application Control Plus feature does an essential part of privilege bracketing with respect to applications and their privileged access, which enables enterprises to establish the Principle Of Least Privilege(POLP) without worrying about productivity drops.

Software inventory identifies installed components; software deployment can remove/disable unwanted apps; templates/scripts can harden/disable unnecessary services.

Develop and document an inventory of system components that: Accurately reflects the system; Includes all components within the system; Does not include duplicate accounting of components or components assigned to any other system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes the following information to achieve system component accountability: [organization-defined information deemed necessary to achieve effective system component accountability]; and Review and update the system component inventory [organization-defined frequency].

Endpoint Central can maintain an inventory of organizational systems, including hardware and software. MDM inventory extends to mobile devices.

Develop, document, and implement a configuration management plan for the system that: Addresses roles, responsibilities, and configuration management processes and procedures; Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; Defines the configuration items for the system and places the configuration items under configuration management; and Is reviewed and approved by [organization-defined personnel or roles].

The platform provides the necessary tools to place specific configuration items (e.g., OS settings, browser security policies, peripheral access rules) under strict automated control. With over 50 pre-defined configuration templates available—ranging from firewall settings and Wi-Fi profiles to environment variables and drive mappings—the platform ensures that the theoretical policies documented in the CM-9 plan are translated into immutable technical realities.

Use software and associated documentation in accordance with contract agreements and copyright laws; Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

Blocklist or allowlist applications and stand-alone EXEs to prevent unauthorized applications from performing malicious activities using Endpoint Central's app control feature and also can be achieved via Prohibited software.

Establish [organization-defined policies] governing the installation of software by users; Enforce software installation policies through the following methods: [organization-defined methods]; and Monitor policy compliance [organization-defined frequency].

Endpoint Central provides you with a Self-Service Portal that allows you to publish software to the target users/computers. Unlike manual software deployment, you can publish the list of software to the group (target users/computers). You can empower the users to install software based on their needs. The Application Control Plus feature provides a blacklisting feature which enables you to associate an application blacklist with different custom groups while keeping in consideration a user's role in the enterprise.

Contingency Planning

Conduct backups of user-level information contained in [organization-defined system components] [organization-defined frequency]; Conduct backups of system-level information contained in the system [organization-defined frequency]; Conduct backups of system documentation, including security- and privacy-related documentation [organization-defined frequency]; and Protect the confidentiality, integrity, and availability of backup information.

Endpoint Central provides exportable evidence and relies on backing up its server/database for recoverability; actual backup scheduling, storage, and restoration processes are external/infrastructure-driven.

Provide for the recovery and reconstitution of the system to a known state within [organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.

Endpoint Central accelerates endpoint recovery by reimaging devices, redeploying standard applications, reapplying configurations, and bringing devices to patch compliance.

Identification and Authentication

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

Endpoint Central authenticates administrators/technicians to its console and can integrate with directory services for centralized authentication, while enforcing RBAC.

Uniquely identify and authenticate [organization-defined devices and/or types of devices] before establishing a [local, remote, network] connection.

Endpoint Central identifies managed devices via agent registration and maintains unique device records; it can deploy/manage certificates to support device authentication to services.

Custom fields can be added and the endpoints can be marked with different identifiers according to your requirement.

Manage system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; Establishing initial authenticator content for any authenticators issued by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; Changing default content of authenticators prior to first use; Changing or refreshing authenticators [organization-defined time period by authenticator type] or when [organization-defined events] occur; Protecting authenticator content from unauthorized disclosure and modification; Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and Changing authenticators for group or role accounts when membership to those accounts changes.

Endpoint Central can deploy and manage certificates (renewal, inventory) and store credentials used for administrative tasks, and manage BitLocker recovery keys where supported.

Endpoint Central supports password policies and system authentication policies propagation through configurations.

Incident Response

Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; Coordinate incident handling activities with contingency planning activities; Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.

Endpoint Central supports incident handling by enabling rapid remote investigation (remote control), deploying remediation scripts, uninstalling unauthorized apps, applying patches, and generating evidence reports.

Maintenance

Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; Require that [organization-defined personnel or roles] explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; Sanitize equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement; Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and Include [organization-defined maintenance-related information] in organizational maintenance records.

Endpoint Central supports controlled maintenance through scheduled deployments, maintenance windows, remote support tools, and audit logging of maintenance actions.

Approve, control, and monitor the use of system maintenance tools; and Review previously approved system maintenance tools [organization-defined frequency].

Endpoint Central provides built-in remote administration tools and controlled software/script deployment mechanisms, reducing the need for ad-hoc tools.

Approve and monitor nonlocal maintenance and diagnostic activities; Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; Maintain records for nonlocal maintenance and diagnostic activities; and Terminate session and network connections when nonlocal maintenance is completed.

Endpoint Central enables nonlocal maintenance via secure remote sessions governed by RBAC and scoped access, with session/audit trails as evidence.

Obtain maintenance support and/or spare parts for [organization-defined system components] within [organization-defined time period] of failure.

Endpoint Central enables timely maintenance through automated patching/update workflows, vulnerability remediation prioritization, and compliance reporting.

Media Protection

Sanitize [organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [organization-defined sanitization techniques and procedures]; and Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

Delete files that contain any data from your organization's systems with Endpoint Central's file folder operation.

Risk Assessment

Conduct a risk assessment, including: Identifying threats to and vulnerabilities in the system; Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; Document risk assessment results in [security and privacy plans, risk assessment report, or organization-defined document]; Review risk assessment results [organization-defined frequency]; Disseminate risk assessment results to [organization-defined personnel or roles]; and Update the risk assessment [organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

Endpoint Central's Vulnerability Manager feature periodically scans systems to discover vulnerabilities and remediate them through patching, helping to reduce risk.

It also finds security misconfigurations in organizational systems and allows you to remediate them in bulk through a centralized console.

[Withdrawn: Incorporated into RA-3.]

Endpoint Central's Vulnerability Manager feature periodically scans systems to discover vulnerabilities and remediate them through patching, helping to reduce risk.

It also finds security misconfigurations in organizational systems and allows you to remediate them in bulk through a centralized console.

Monitor and scan for vulnerabilities in the system and hosted applications [organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting checklists and test procedures; and Measuring vulnerability impact; Analyze vulnerability scan reports and results from vulnerability monitoring; Remediate legitimate vulnerabilities [organization-defined response times] in accordance with an organizational assessment of risk; Share information obtained from the vulnerability monitoring process and control assessments with [organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems.

Endpoint Central performs endpoint vulnerability assessment (missing patches, insecure configurations where supported), prioritizes remediation, and tracks closure through deployment workflows.

System and Services Acquisition Family

[Withdrawn: Incorporated into CM-10, SI-7.]

Endpoint Central enforces technical restrictions on software execution/installation via application control and inventory visibility.

System and Services Acquisition

[Withdrawn: Incorporated into CM-11, SI-7.]

Endpoint Central can restrict and monitor user-installed software via privilege controls and application execution policies, producing inventory reports.

Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; and/or Provide the following options for alternative sources for continued support for unsupported components: [in-house support, organization-defined support from external providers].

Endpoint Central identifies OS/app versions and patch levels to highlight unsupported components and can assist with remediation (updates/uninstall).

System and Communications Protection

Separate user functionality, including user interface services, from system management functionality.

The UEM platform perfectly illustrates logical separation. System management functions—such as defining configurations, deploying software, and managing patches—are strictly confined to a secure, web-based administrative console. This console requires dedicated authentication, is subject to granular RBAC, and can be further secured behind Single Sign-On (SSO) and Multi-Factor Authentication (MFA). Conversely, standard end-users interact exclusively with the “Self Service Portal” or the lightweight local agent. The Self Service Portal acts as a restricted presentation layer, allowing non-privileged users to trigger pre-approved software installations or localized IT requests without exposing any underlying system management interfaces or administrative privileges

Protect the [confidentiality, integrity] of transmitted information.

Endpoint Central supports encrypted communications between server, agents, and web console using TLS configurations and can manage certificates used by endpoints.

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [organization-defined requirements for key generation, distribution, storage, access, and destruction].

Endpoint Central can deploy and manage certificates and can store/retrieve BitLocker recovery keys for managed devices, providing inventory and recovery evidence.

Determine the [organization-defined cryptographic uses]; and Implement the following types of cryptography required for each specified cryptographic use: [organization-defined types of cryptography for each specified cryptographic use].

Endpoint Central supports cryptographic protection by enabling disk encryption management (BitLocker policies, recovery key management) and encrypted management channels.

Issue public key certificates under an [organization-defined certificate policy] or obtain public key certificates from an approved service provider; and Include only approved trust anchors in trust stores or certificate stores managed by the organization.

Endpoint Central manages endpoint certificates (deployment, tracking expiry, renewal workflows where supported) and provides certificate inventory reports.

System and Information Integrity Family

Identify, report, and correct system flaws; Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Install security-relevant software and firmware updates within [organization-defined time period] of the release of the updates; and Incorporate flaw remediation into the organizational configuration management process.

Identify systems with security misconfigurations and missing patches, service packs, and antivirus definition updates with Endpoint Central's vulnerability scanning, and remediate these flaws from a centralized console.

Implement [signature-based, non-signature-based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; Configure malicious code protection mechanisms to: Perform periodic scans of the system [organization-defined frequency] and real-time scans of files from external sources at [endpoint, network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and [block malicious code, quarantine malicious code, take organization-defined action] in response to malicious code detection; and Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

Endpoint Central provides endpoint malware protection capabilities and reduces exposure via browser hardening, application control, and removable media restrictions, with status/reporting evidence.

Monitor the system to detect: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [organization-defined monitoring objectives]; and Unauthorized local, network, and remote connections; Identify unauthorized use of the system through the following techniques and methods: [organization-defined techniques and methods]; Invoke internal monitoring capabilities or deploy monitoring devices: Strategically within the system to collect organization-determined essential information; and At ad hoc locations within the system to track specific types of transactions of interest to the organization; Analyze detected events and anomalies; Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; Obtain legal opinion regarding system monitoring activities; and Provide [organization-defined system monitoring information] to [organization-defined personnel or roles] [organization-defined frequency].

Endpoint Central provides event logs (classified as errors, information messages and warnings) which help in auditing and troubleshooting. Using the vulnerability module gives you an assessment of the security posture of the managed endpoints.

Continuous monitoring via inventory, patch compliance, and audit reports help identify anomalous system activity.

Receive system security alerts, advisories, and directives from [organization-defined external organizations] on an ongoing basis; Generate internal security alerts, advisories, and directives as deemed necessary; Disseminate security alerts, advisories, and directives to: [organization-defined personnel or roles, organization-defined elements, organization-defined external organizations]; and Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

Endpoint Central ingests patch/vulnerability content and provides dashboards and reports highlighting required remediation actions, supporting dissemination to operations teams via scheduled exports.

Verify the correct operation of [organization-defined security and privacy functions]; Perform the verification of the functions specified in SI-6a [upon system transitional states, upon command by user with appropriate privilege, organization-defined frequency]; Alert [organization-defined personnel or roles] to failed security and privacy verification tests; and [Shut the system down, restart the system, organization-defined alternative action(s)] when anomalies are discovered.

Verify security posture using compliance reports for configuration settings, patch levels, encryption status, and mobile device compliance.

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [organization-defined software, firmware, and information]; and Take the following actions when unauthorized changes to the software, firmware, and information are detected: [organization-defined actions].

Endpoint Central supports integrity by controlling allowed software, maintaining patch currency, and deploying known-good images/software baselines, with inventory and deployment evidence.

Automated patching and integrity policies help ensure systems are running approved and up-to-date software versions.

Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and Reveal error messages only to [organization-defined personnel or roles].

The UEM platform actively supports this control through its centralized logging and alerting architecture. During routine operations—such as agent deployment failures, patch installation errors, or authentication rejections—the system generates specific, sanitized error codes (e.g., “Invalid authentication type,” “Inaccessible domain controller,” “Repeated invalid login attempts”). These error logs are presented in the administrative console

Implement non-persistent [organization-defined system components and services] that are initiated in a known state and terminated [upon end of session of use, organization-defined frequency].

Endpoint Central can restore endpoints to a known baseline via OS imaging and reduce persistence via application control.