NIST 800-171 • LEVEL 2 • SYSTEM AND INFORMATION INTEGRITY
3.14.6 — System Monitoring
Monitor the system to detect: Attacks and indicators of potential attacks and Unauthorized connections. Identify unauthorized use of the system. Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- the system is monitored to detect attacks.
- the system is monitored to detect indicators of potential attacks.
- the system is monitored to detect unauthorized connections.
- unauthorized use of the system is identified.
- inbound communications traffic is monitored to detect unusual or unauthorized activities or conditions.
- outbound communications traffic is monitored to detect unusual or unauthorized activities or conditions.
Practitioner Notes
System monitoring means actively watching your systems for signs of attacks, unauthorized access, and suspicious behavior. You need tools collecting logs, generating alerts, and someone reviewing them regularly.
Example 1: Deploy Microsoft Sentinel (cloud SIEM) or a similar SIEM solution. Connect it to your Active Directory, M365 audit logs, firewall logs, and endpoint telemetry from Defender for Endpoint. Create analytics rules for high-priority events: multiple failed logins followed by a success (credential stuffing), new service installations, or PowerShell execution with encoded commands. Assign these alerts to a security analyst for daily review.
Example 2: Enable Windows Security Event logging via GPO: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration. At minimum, enable auditing for Logon/Logoff (success and failure), Account Management (success and failure), Object Access (failure), and Policy Change (success). Forward these events to a central log collector using Windows Event Forwarding (WEF) or a log shipping agent.
Monitoring without review is just storage. Make sure someone is looking at alerts daily.