Skip to main content
NetStable
Level 2 SI.L2-3.14.6

Monitor organizational systems

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to continuously monitor their systems to detect and respond to potential security threats. It involves setting up tools and processes to track system activities, identify unusual patterns, and alert the security team when something suspicious happens. Think of it as having a security camera for your IT systems. For example, if an employee’s account suddenly starts accessing sensitive files at odd hours, monitoring tools should flag this activity. Another example is detecting malware attempting to spread across the network. The goal is to catch issues early before they escalate into major incidents.

🎯 Why It Matters

Failing to monitor systems leaves organizations blind to potential cyberattacks. According to IBM’s Cost of a Data Breach Report, it takes an average of 277 days to identify and contain a breach, costing millions of dollars. For instance, the SolarWinds breach went undetected for months, compromising sensitive government and corporate data. CMMC emphasizes this control because the DoD relies on contractors to protect Controlled Unclassified Information (CUI). Continuous monitoring ensures quick detection of threats, minimizing damage and maintaining trust with the DoD.

How to Implement

  1. Enable logging in your cloud provider (e.g., AWS CloudTrail, Azure Monitor, GCP Operations Suite).
  2. Configure alerts for unusual activities like failed logins, unauthorized access attempts, or configuration changes.
  3. Integrate cloud logs with a Security Information and Event Management (SIEM) tool like Splunk or Elastic Stack.
  4. Set up automated reports for daily/weekly review by the security team.
  5. Regularly review and update monitoring rules to adapt to new threats.
⏱️
Estimated Effort
2-4 weeks for setup, ongoing daily monitoring, and weekly reviews (requires intermediate IT skills).

📋 Evidence Examples

Monitoring Policy

Format: PDF
Frequency: Annual review
Contents: Defines roles, responsibilities, and procedures for monitoring.
Collection: Document from IT/Security team.

SIEM Configuration Screenshots

Format: PNG
Frequency: After setup and updates
Contents: Show alert rules and log sources.
Collection: Export from SIEM dashboard.

Alert Logs

Format: CSV
Frequency: Weekly
Contents: List of triggered alerts with timestamps.
Collection: Export from SIEM tool.

Incident Response Reports

Format: PDF
Frequency: Per incident
Contents: Details of actions taken for each alert.
Collection: Generated by security team.

Training Records

Format: Excel
Frequency: Annual
Contents: List of staff trained on monitoring tools.
Collection: Maintained by HR or training coordinator.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For SI.L2-3.14.6 ("Monitor organizational systems"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your system and information integrity controls, including patch management process, antivirus/EDR deployment, email gateway protection, SIEM monitoring, and application security measures. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"SI.L2-3.14.6 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to monitor organizational systems. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"SI.L2-3.14.6 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to monitor organizational systems. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"SI.L2-3.14.6 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all systems requiring patch management within the CUI boundary
  • Document EDR/AV coverage across endpoints and servers
  • Specify SIEM monitoring coverage and alert rules
  • Ensure this control covers all systems within your defined CUI boundary where monitor organizational systems applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 System and Information Integrity Policy
  • 📄 Patch management reports
  • 📄 AV/EDR deployment records
  • 📄 SIEM alert configuration
  • 📄 Evidence artifacts specific to SI.L2-3.14.6
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify patch management SLAs are met, check AV/EDR deployment coverage (should be 100%), review SIEM alert rules and response times, and test that email gateway blocks malicious content.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented monitoring policy?

✅ YES → Proceed to Q2.
❌ NO → GAP: Draft and approve a monitoring policy within 2 weeks.
Remediation:
Use templates from NIST or CMMC resources.

Question 2: Are logs from all critical systems being collected?

✅ YES → Proceed to Q3.
❌ NO → GAP: Enable logging on missing systems within 1 week.
Remediation:
Check Windows Event Logs and Linux syslog configurations.

Question 3: Are alerts configured for suspicious activities?

✅ YES → Proceed to Q4.
❌ NO → GAP: Set up alerts in your SIEM tool within 1 week.
Remediation:
Use default rules and customize based on your environment.

Question 4: Are logs reviewed regularly?

✅ YES → Proceed to Q5.
❌ NO → GAP: Schedule daily/weekly log reviews starting immediately.
Remediation:
Assign responsibility to a dedicated team member.

Question 5: Is staff trained to respond to alerts?

✅ YES → Compliant.
❌ NO → GAP: Conduct training within 2 weeks.
Remediation:
Use vendor-provided training materials or hire a consultant.

⚠️ Common Mistakes (What Auditors Flag)

1. Incomplete log collection

Why this happens: Missing critical systems or misconfigured logging.
How to avoid: Audit all systems and ensure logging is enabled.

2. No alerts for suspicious activities

Why this happens: Failure to configure SIEM rules.
How to avoid: Set up default alerts and customize based on your environment.

3. Infrequent log reviews

Why this happens: Lack of resources or oversight.
How to avoid: Assign dedicated staff and automate reports.

4. Untrained staff

Why this happens: Assumed existing knowledge.
How to avoid: Provide regular training and drills.

5. No integration between cloud and on-premise tools

Why this happens: Separate teams managing environments.
How to avoid: Use APIs to synchronize logs and alerts.

📚 Parent Policy

This practice is governed by the System and Information Integrity Policy

View SI Policy →

📚 Related Controls

SI.L2-3.14.1 SI.L2-3.14.2 SI.L2-3.14.7
Previous
SI.L1-3.14.5
Back to SI
Next
SI.L2-3.14.7