Security Monitoring: Detect Attacks & Threats in Real-Time
Continuous monitoring of your network traffic is the frontline defense against cyber attacks. CMMC Level 2 control SI.L2-3.14.6 requires you to actively monitor inbound and outbound communications to identify threats before they breach your systems. This control transforms your network from passive to protective.
What this means
Security monitoring means deploying tools and processes to actively inspect all communications traffic entering and leaving your organization. You must detect both active attacks and indicators of potential compromise—such as suspicious IP addresses, unusual data exfiltration patterns, or malware signatures. This is not a one-time scan; it's continuous, ongoing surveillance of your network activity.
How to comply
- 1.Deploy network monitoring tools (SIEM, IDS/IPS, or equivalent) that capture and analyze inbound and outbound traffic
- 2.Configure alerts for known attack signatures, command-and-control communication patterns, and data exfiltration indicators
- 3.Establish a baseline of normal network behavior to identify anomalies quickly
- 4.Log all relevant traffic events with sufficient detail for forensic analysis
- 5.Define escalation procedures when potential attacks or indicators are detected
- 6.Review and analyze monitoring logs at least daily or more frequently based on risk
- 7.Document your monitoring capabilities, tools, and detection thresholds
- 8.Train personnel on how to respond when monitoring systems generate alerts
Evidence auditors look for
- Network monitoring tool configuration showing active monitoring of inbound/outbound traffic
- SIEM or IDS/IPS alert logs demonstrating detection of suspicious activity
- Documentation of monitoring tool capabilities and attack signatures configured
- Alert escalation procedures and response runbooks
- Daily/weekly monitoring review logs or summary reports
- Network baseline documentation used for anomaly detection
- Firewall and proxy logs showing traffic inspection
- Incident detection records showing identified potential attacks
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the documentation and evidence collection for SI.L2-3.14.6 by connecting directly to your SIEM or IDS logs, capturing alert configurations and detection records in real-time—eliminating manual log aggregation and creating audit-ready compliance evidence automatically.
See how GRCWatch handles this control automatically
Start free trial