Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SI.L2-3.14.7 – Identify unauthorized use of organizational systems.
Understanding the Requirement
This control requires your organization to define what constitutes authorized and unauthorized use of company systems, then monitor and identify when systems are used in ways that violate those definitions. Under the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 framework, you should combine a clear acceptable use policy signed by users with technical detection—such as intrusion detection, antivirus alerts, firewall and network logs—to spot and act on unauthorized behavior.
Technical Implementation
- Create and enforce an Acceptable Use Policy (AUP). The AUP must define permitted business activities, prohibited content (e.g., pornography, gambling, pirated software), and consequences for violations. Require every employee to sign the AUP on hire and after major updates, and store signed copies centrally.
- Deploy endpoint protection with web/content controls. Use AV/EDR that includes web content filtering and behavior monitoring. Configure policies to block or flag access to disallowed categories and generate alerts when users attempt or succeed in accessing prohibited content.
- Enable and centralize logs from IDS/IPS, firewall, and endpoints. Forward firewall, proxy, IDS, and antivirus alerts to a centralized log collector or lightweight SIEM (managed or open-source). Centralization makes it practical for SMBs to search, correlate, and retain logs for investigations and compliance.
- Define detection rules and baseline behavior. Create simple, high-value alerts: repeated hits to blocked web categories, large outbound file transfers from a single workstation, unusual scanning or C2-like traffic, or AV quarantines. Establish baseline traffic per department so that deviations trigger investigations rather than false alarms.
- Assign roles and review cadence. Designate who reviews alerts (system/network admin or outsourced MSP) and set a regular schedule—for example, daily review of high-priority alerts and weekly/monthly audits of lower-priority logs. Keep an escalation path to leadership and HR for confirmed policy violations.
- Document incidents and remediate. For each identified unauthorized use, document the detection, investigation steps, remediation actions (e.g., remove access, clean device, disciplinary action), and lessons learned. Update detection rules and the AUP based on incident findings to reduce repeat occurrences.
Example in a Small or Medium Business
Acme Tech, a 75-person engineering firm, created an IT acceptable use policy that clearly forbids non-business web browsing and downloading pirated media and required all staff to sign it. They deployed endpoint protection with web content filtering on every workstation and configured the corporate firewall to log denied connections and large transfers. Logs from the firewall and endpoints were forwarded to a managed cloud log service that the on-call system administrator reviews daily. One morning an alert flagged a workstation downloading large MP3 files to an unusual directory and repeatedly connecting to a known file-sharing domain. The system administrator isolated the workstation, captured forensic logs, and confirmed the user had violated the AUP by downloading pirated content. HR and IT met to review the documented violation, applied the agreed disciplinary steps, and restored the cleaned workstation to the network. As a result, Acme updated their detection rules to better catch similar behavior and added a short refresher training session for staff to reduce repeat incidents.
Summary
Combining a clearly written and signed acceptable use policy with practical technical controls—endpoint protection with content filtering, centralized logging from AV/firewall/IDS, defined detection rules, and assigned reviewers—lets an SMB reliably detect and act on unauthorized use of systems. Regular reviews, documented incident handling, and feedback to policy and rules close the loop so that detection becomes prevention and the organization stays aligned with the control's intent.
