DE.CM-06 requires monitoring the activities and services of external providers—like cloud platforms or ISPs—to detect adverse events that could impact the organization. This includes tracking remote administration or onsite maintenance by third parties for deviations from expected behavior. It ensures external dependencies don’t become blind spots.

This subcategory mitigates risks from outsourced services by maintaining oversight, aligning monitoring with contractual security expectations. It supports a comprehensive security posture by extending vigilance beyond organizational boundaries. DE.CM-06 safeguards against threats originating in the supply chain.