What does SI.L2-3.14.6 require for CMMC Level 2?

You must monitor inbound and outbound network communications for suspicious activity, security violations, or potential intrusions. This is typically done with a SIEM, IDS/IPS, or web proxy.

What evidence do I need for SI.L2-3.14.6?

Monitoring policy, SIEM or proxy configuration, monitoring logs from the past 30 days, and evidence of alerts or suspicious activity being investigated.

What's the most common failure for SI.L2-3.14.6?

Tools like SIEM are installed but logs are not being analyzed. Monitoring happens in the background with no active review or response to findings.

SI.L2-3.14.6

SI.L2-3.14.6: Monitor Communications

Monitor organizational systems, including inbound and outbound communications.

Updated March 30, 2026

Monitoring network traffic reveals attacks and unauthorized access. SI.L2-3.14.6 requires that you monitor inbound and outbound communications. The assessor will verify you have monitoring in place and that you are actively reviewing it. Network monitoring data feeds into AU.L2-3.3.1 (audit logging), supports IR.L2-3.6.1 (incident response), and helps achieve the baseline controls in CM.L2-3.4.1.

Family System and Information Integrity

Practice SI.L2-3.14.6

Difficulty Medium

Key evidence Monitoring policy, SIEM/proxy logs, alert configuration, incident records

What the assessor is actually evaluating

The assessor will check:

Monitoring tool deployment: A SIEM, web proxy, IDS/IPS, or similar tool should be collecting network logs.
Active monitoring and review: Logs are being collected and reviewed. The organization has defined thresholds or rules for suspicious activity.
Response to findings: When monitoring detects suspicious activity, someone investigates and documents the finding.

What a realistic SSP definition looks like

Policy: “The organization monitors all inbound and outbound communications. A SIEM platform collects logs from firewalls, proxies, and systems. Security analysts review SIEM dashboards daily. Alerts are generated for suspicious activity and investigated.”

Supporting details:

SIEM tool: Splunk or Azure Sentinel collecting logs from firewall, web proxy, and systems.
Monitoring scope: All internet traffic, VPN connections, and inter-system communications.
Review frequency: Daily dashboard review by security team. Real-time alerts for critical events.
Alerting: Rules configured for suspicious patterns (e.g., multiple failed logins, data exfiltration attempts, malware signatures).
Response: Alerts are logged in a ticket system. Investigations are documented.

How to present your evidence

Evidence checklist

Monitoring policy document with tools, scope, and response procedures
SIEM or monitoring tool configuration and dashboard access
Network logs from past 30 days showing collected traffic and events
Alert rules configured for suspicious patterns and thresholds
Incident response records showing investigation of recent alerts

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “How do you monitor your network communications?”

You: “We use Splunk as our SIEM. It collects logs from the firewall, proxy, and systems. We review dashboards daily and investigate alerts.” [Pull up monitoring policy and SIEM dashboard]

Assessor: “Show me the logs from the past week.”

You: [Pull up SIEM showing network traffic, logins, file access, etc. from the past 7 days. Display volume and types of activity]

Assessor: “What kinds of events do you alert on?”

You: “Multiple failed logins, connections to known malicious IPs, unusual data transfers, and malware signatures.” [Show alert rules in SIEM]

Assessor: “Have any alerts been triggered recently?”

You: “Yes. Two failed login attempts last week triggered an alert. We reviewed the logs and determined they were from an external user with an incorrect password. No further action was needed, but we documented it.” [Show the alert and investigation ticket]

Common failures

No monitoring tool or logs: Network communications are not being monitored at all. The organization has no visibility into traffic.

Monitoring tool exists but is not reviewed: SIEM or proxy logs are collected but no one actively reviews them. Logs sit dormant.

No alert configuration: Logs are collected but there are no rules for suspicious activity. All alerts are manual and inconsistent.

Alerts are not investigated: Alerts are generated but not reviewed or responded to. Suspicious activity goes undetected.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Active SIEM or monitoring platform: Logs are collected from multiple sources. Dashboards are reviewed daily. Alerts are configured for suspicious patterns.

Documented response to findings: Incident tickets show investigations of alerts and actions taken.

If you use an MSP/MSSP

If your MSSP provides SIEM or monitoring services, request access to the SIEM dashboards. Ensure the MSSP is reviewing logs daily and escalating alerts to you. Verify that monitoring covers your in-scope systems and communications. Request weekly or monthly summary reports of monitoring activities and incidents.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SI.L2-3.14.7: Identify Unauthorized Use All Practices SI.L2-3.14.5: System and File Scanning →