Maintain situational awareness through centralized collection, correlation and analysis of security-relevant telemetry from Technology Assets, Applications and Services (TAAS).
Organizations establish enterprise-wide situational awareness through centralized collection, correlation, analysis and review of security-relevant events, telemetry and control status to reduce blind spots that could contribute to compromise, data exfiltration or TAAS unavailability.
Situational awareness is not a byproduct of having security tools deployed. It requires centralized collection, correlation and analysis of security-relevant telemetry across TAAS. The MON domain governs that discipline. An organization with excellent endpoint protection, a well-configured SIEM and network monitoring capabilities that aren't integrated will still have blind spots that attackers will find.
The SCF's intent for MON emphasizes reducing blind spots specifically and names compromise, data exfiltration and TAAS unavailability as the failure modes that blind spots enable. That framing is accurate to how most significant breaches unfold: the telemetry that would have revealed the compromise existed, but nobody was collecting or correlating it in a way that would have produced an alert.
MON is not Incident Response (IRO). MON produces the signals that make incident response possible. An incident response capability without continuous monitoring is reactive by design, limited to investigating incidents that surface through other means. The two domains depend on each other, but they govern distinct capabilities that require separate investment and ownership.