This post explains how to implement a practical, auditable SIEM and centralized logging strategy to identify unauthorized use of organizational systems in order to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control SI.L2-3.14.7, with step-by-step actions, small-business examples, technical details, and compliance tips.
Understanding the Control and Key Objectives
Control SI.L2-3.14.7 requires organizations to have monitoring and detection capabilities to identify unauthorized use of systems. Key objectives are: (1) collect the right telemetry across endpoints, servers, identity systems, networks and cloud; (2) centralize and protect logs for analysis and evidence; (3) implement detection rules and workflows that reliably surface unauthorized activity; and (4) demonstrate those capabilities with documented evidence for assessment. For small businesses handling Controlled Unclassified Information (CUI), the focus is efficient telemetry coverage, practical detection use-cases, and demonstrable retention and integrity controls.
Step-by-Step Implementation Plan
1) Scope, Asset Inventory, and Requirements Mapping
Start by scoping: identify assets in the CUI boundary, privileged accounts, systems with remote access (VPN, RDP), and cloud services. Create an asset registry with owner, OS, services, and network location. Map each asset to required log types (e.g., Windows Security, Sysmon, Linux auth, AzureAD sign-ins, AWS CloudTrail, firewall, VPN, proxy). Document how each log type supports SI.L2-3.14.7 — this is the primary evidence for assessors.
2) Log Sources, Collection Methods, and Technical Details
Collect high-fidelity logs: Windows Event Security (successful and failed logons: IDs 4624, 4625; 4672 for privileged), Sysmon (process create 1, network connect 3, dll load 7), Linux auth and sudo logs, SSH events, AD/LDAP replication; cloud: AWS CloudTrail, Azure Sign-ins and AuditLogs, GCP audit logs; network: firewall, VPN (OpenVPN/AnyConnect), proxy, and VPC flow logs. Use agents (sysmon + Windows Event Forwarding), syslog for network devices, and API pulls for cloud services. Enforce NTP across assets and ensure timestamps are normalized to UTC in the SIEM. Collect structured fields such as src_ip, dst_ip, src_port, user, event_id, process, parent_process, command_line, file_hash, and outcome to enable reliable correlation.
3) SIEM Design, Parsing, and Normalization
Design ingestion pipelines that parse and normalize logs into a common schema (user, src_ip, dest_host, event_type, timestamp, outcome). Implement field mappings and enrichments: reverse DNS, GeoIP, local risk score, threat intelligence (IOC matching), and identity context (role, last password change, MFA status). Ensure the SIEM stores raw originals plus normalized JSON so you can reproduce an investigator's view and provide raw-log evidence at assessment time.
4) Detection Use-Cases, Correlation Rules, and Example Logic
Create prioritized use-cases tied to unauthorized use: credential stuffing/brute force, compromised accounts (multiple geolocations or impossible travel), lateral movement (RDP/SMB following credential dump), privilege escalation (new admin group membership), and data-exfil patterns. Example pseudo-rule: if (count failed logins for account A from >3 unique IPs within 10 minutes) AND (successful login from a new IP with no previous geolocation for account A) AND (no MFA event for that login) THEN alert HIGH — include fields: user, first_failed_time, successful_time, src_ip_success. Map each rule to MITRE ATT&CK techniques (T1110, T1078, T1021) and document rule thresholds and rationale for assessment evidence.
5) Tuning, Baseline, and Alerting Workflow
Begin with conservative thresholds and a 30-day learning period to establish baselines for noisy systems (e.g., automated backups, monitoring agents). Classify alerts by severity and create an escalation matrix: who receives critical alerts, SLAs for acknowledgement and response, and required artifacts for incident records (timeline, logs, containment steps). For small businesses, integrate SIEM alerts with helpdesk/ticketing and automated containment (disable account, block IP via firewall) where safe. Maintain a false-positive log and update detection rules monthly.
6) Retention, Integrity, and Evidence Handling
Define retention in policy aligned to contract and organizational risk — common practical recommendations are 1 year online retention for security logs and longer cold storage for forensic requirements (3+ years) depending on contracts. Protect logs: write-once-read-many (WORM) or immutable storage, HMAC/hash chains for integrity, encrypted storage at rest and in transit, and role-based access for log access. Keep a secure SIEM configuration backup and maintain chain-of-custody procedures and signed export reports to demonstrate integrity to an assessor.
7) Incident Response Integration and Testing
Integrate detection outputs into your incident response (IR) playbooks: containment, forensics (disk/image and memory capture guidance), communication (internal and any DoD contracting officer notifications), and remediation. Conduct tabletop exercises and live detection tests: simulate credential theft by generating controlled failed logins and a successful login from a new IP to validate detection logic. Document test results as part of your compliance evidence package.
Real-World Small-Business Scenarios and Practical Tips
Example: a small engineering firm stores CUI on an on-prem file server and uses Azure AD for identity. A contractor's home PC is compromised, causing their credentials to be used from an unusual country and to access a CUI folder. The SIEM correlates Azure sign-in (unusual location), VPN connection from that IP, and a subsequent SMB file read on the file server — a correlation rule triggers a high-severity alert, the account is disabled automatically, and an IR checklist is executed. Practical tips: enable MFA for all remote access, deploy Sysmon on endpoints handling CUI, forward Windows Security and Sysmon to the SIEM, and configure CloudTrail and Azure Audit logs to send to the same SIEM to allow cross-source correlation.
Risks of Not Implementing This Requirement and Compliance Best Practices
Failing to implement SI.L2-3.14.7 risks undetected unauthorized access leading to CUI exposure, contract penalties or loss, and reputational harm. From a compliance perspective, absence of centralized logs, weak retention or integrity controls, and no documented detection rules are common assessment failures. Best practices: keep an auditable mapping between controls and evidence, retain raw logs plus normalized copies, maintain documented detection rules and tuning notes, and use threat intel to reduce dwell time. Small businesses with limited staff should consider managed SIEM/SOC partners but retain control over policies, retention, and access so assessment evidence is available.
Summary: Implementing a compliant SIEM and log strategy for SI.L2-3.14.7 requires scoping CUI assets, collecting high-fidelity telemetry (endpoints, identity, network, cloud), normalizing and protecting logs, building mapped detection rules with documented thresholds, integrating alerts into IR workflows, and retaining/validating log integrity for assessment — all of which can be achieved with focused steps, tuning, and documented evidence suitable for a small business aiming to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requirements.
