SI.L2-3.14.7  

Reference: CMMC 2.11

Family: SI

Level Introduced: 2

Title: Identify Unauthorized Use

Practice:
Identify unauthorized use of organizational systems.

CMMC Clarification:
Organizations should define authorized use of their systems. First, have an acceptable-use policy for your system. This policy establishes the baseline for how users access devices and the internet. You define authorized use by specific roles within the organization. Examples of these roles include user, administrator, and technician. After you define authorized use, identify unauthorized use of systems.

Organizations can monitor systems by observing audit activities. You can do this in real time or by other manual means, such as access patterns. To identify unauthorized use, leverage existing tools and techniques, such as:
• intrusion detection systems;
• intrusion prevention systems;
• malicious code protection software;
• scanning tools;
• audit record monitoring software; and
• network monitoring software.

Example
You are in charge of IT operations at your organization. You want to make sure everyone using an organizational system is authorized to do so. You accomplish this as part of your monitoring activities. These activities ensure that all users meet the defined authorize-use policy. To do this, you put in place a user activity monitoring application. This app monitors all the users and their connections to your network. It records information about every connection on your network. You use the outputs of this application to confirm that you are meeting the authorization policy.

Source: CMMC v2.0