SI.L2-3.14.7 · NIST SP 800-171 3.14.7

Identify Unauthorized Use

Identify unauthorized use of organizational systems.

3 points if not metMust be fully met, cannot POA&M2 assessment objectives

What an assessor scores, the objectives

SI.L2-3.14.7 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.authorized use of the system is defined
  • b.unauthorized use of the system is identified

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For SI.L2-3.14.7, an assessor uses these:

Examine

Continuous monitoring strategy; system and information integrity policy; procedures addressing system monitoring tools and techniques; facility diagram/layout; system security plan; system design documentation; system monitoring tools and techniques documentation; locations within system where monitoring devices are deployed; system configuration settings and associated documentation; other relevant documents or records

Interview

System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining th e system; personnel with responsibility for monitoring the system

Test

Organizational processes for system monitoring; mechanisms supporting or implementing system monitoring capability

What it means, in context

System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. NIST SP 800-94 provides guidance on intrusion detection and prevention systems.

Define authorized use of your systems. Create an acceptable use policy to establish the baseline for how users access devices, internal network services, and the internet. Define authorized use by specific roles such as: user, administrator, and technician. After authorized use is defined, identify unauthorized use of systems. Monitor systems by observing audit activities from the system logs. This can be accomplished in real time using automated solutions or by manual means. To identify unauthorized use, leverage existing tools and techniques, such as: • intrusion detection systems; • intrusion prevention systems; • malicious code protection software; • scanning tools; • audit record monitoring software; and • network monitoring software. This requirement, SI.L2-3.14.7, which deals with identifying unauthorized use of organizational systems, is related to requirements: AC.L2-3.1.1, AU.L2-3.3.1, IA.L2-3.5.1, and IA.L2-3.5.2. All of these requirements help create the building blocks that support SI.L2-3.14.7. Example 1 You are in charge of IT operations. You need to ensure that everyone using an organizational system is authorized to do so and conforms to the written authorized use policy . To do this, you deploy an application that monitors user activity and records the information for later analysis. You review the data from this application for signs of activity that does not conform to the acceptable use policy [a,b]. Example 2 You are alerted through your Intrusion Detection System (IDS) that one of your users is connecting to a server that is from a high-risk domain (based on your commercial domain reputation service). You investigate and determine that it’s not the user, but instead an unauthorized connection attempt [b]. You add the domain to your list of blocked domains to prevent connections in the future. Potential Assessment Considerations • Is authorized use of systems defined (e.g., data types permitted for storage or processing, personnel authorized to access, times or days of permitted use, permitted software) [a]? • Is unauthorized use of systems defined (e.g., not authorized to use systems for bitcoin mining, not authorized for pornographic content, not authorized to access gambling games/content) [b]?

What passing evidence looks like

Unauthorized use gets identified: the definition of what unauthorized looks like in your shop (odd hours admin sign ins, impossible travel, mass downloads) and the alert or review that would catch it.

Common ways contractors fail SI.L2-3.14.7

  • !Objective [a] wants authorized use DEFINED so unauthorized is detectable. One paragraph defining normal (who signs in, from where, when) turns your existing sign in monitoring into this requirement's answer.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove SI.L2-3.14.7, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

SI.L2-3.14.7 questions, answered

How many points is CMMC requirement SI.L2-3.14.7 worth?+

SI.L2-3.14.7 is worth 3 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 3 from your total of 110.

Can SI.L2-3.14.7 be placed on a POA&M?+

No. SI.L2-3.14.7 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does SI.L2-3.14.7 belong to?+

SI.L2-3.14.7 is in the System & Information Integrity (SI) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.14.7