SI.L2-3.14.7: Identify Unauthorized Use in CMMC Level 2
Detecting unauthorized use of your systems is critical to CMMC compliance and effective security operations. SI.L2-3.14.7 requires you to establish monitoring and detection mechanisms that catch anomalous activity before it causes damage. This control bridges detection and response, turning visibility into protection.
What this means
This control requires your organization to implement processes and tools to identify when unauthorized users or activities access your information systems without permission. This includes both external intrusions and insider threats, whether intentional or accidental. Detection mechanisms must be active and monitored to catch unauthorized access attempts, privilege escalation, and policy violations in real time.
How to comply
- 1.Deploy log aggregation and SIEM tools to collect and analyze system logs from servers, workstations, and network devices
- 2.Configure alerting rules for suspicious activities: failed login attempts, after-hours access, unusual data transfers, and privilege escalation
- 3.Implement network monitoring to detect abnormal traffic patterns and unauthorized connection attempts
- 4.Establish baseline behavior profiles for users and systems to identify deviations from normal operations
- 5.Conduct regular log reviews at least monthly to investigate and document unauthorized access incidents
- 6.Document all detection methods, tools, and thresholds in your System Security Plan
- 7.Train staff on reporting suspected unauthorized use and maintain an incident log for all findings
Evidence auditors look for
- SIEM configuration and alerting rules showing monitored unauthorized access indicators
- System and application logs with timestamps of detected unauthorized access attempts
- Network traffic analysis reports identifying anomalous connections or data exfiltration
- Baseline behavioral profiles for critical users and systems
- Monthly log review reports with findings and investigation documentation
- Incident logs documenting detected unauthorized use with dates and resolution actions
- Security tool dashboards and reports from monitoring solutions
- Policy documentation defining what constitutes unauthorized use at your organization
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically correlates security logs from your systems and generates monthly unauthorized use detection reports with audit-ready evidence—eliminating manual log analysis and ensuring consistent compliance with SI.L2-3.14.7.
See how GRCWatch handles this control automatically
Start free trial